Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud Network Engineer All Questions

View all questions & answers for the Professional Cloud Network Engineer exam
Go to Exam

Exam Professional Cloud Network Engineer topic 1 question 23 discussion

Actual exam question from Google's Professional Cloud Network Engineer
Question #: 23
Topic #: 1
[All Professional Cloud Network Engineer Questions]

You have an application hosted on a Compute Engine virtual machine instance that cannot communicate with a resource outside of its subnet. When you review the flow and firewall logs, you do not see any denied traffic listed.
During troubleshooting you find:
"¢ Flow logs are enabled for the VPC subnet, and all firewall rules are set to log.
"¢ The subnetwork logs are not excluded from Stackdriver.
"¢ The instance that is hosting the application can communicate outside the subnet.
"¢ Other instances within the subnet can communicate outside the subnet.
"¢ The external resource initiates communication.
What is the most likely cause of the missing log lines?

  • A. The traffic is matching the expected ingress rule.
  • B. The traffic is matching the expected egress rule.
  • C. The traffic is not matching the expected ingress rule.
  • D. The traffic is not matching the expected egress rule.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by ravirajani at Sept. 8, 2020, 11:53 a.m.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
EJJ
Highly Voted 3 years, 7 months ago
C is the right answer. The traffic is not matching the expected ingress rule, thus it will fall to the IMPLICIT DENY INGRESS RULE which is never logged.
upvoted 19 times
...
3fd692e
Most Recent 1 month, 2 weeks ago
Selected Answer: C
C is the answer. I thought it might be D but there are two statements that indicate EGRESS is working. The final statement says that external resource initiates communication but does not say whether the communication is successful. That final statement plus the two that talk about communicating outside the subnet clearly points to an INGRESS problem.
upvoted 1 times
...
xhilmi
11 months, 2 weeks ago
Selected Answer: C
C. The traffic is not matching the expected ingress rule. Explanation: Ingress rules control the incoming traffic to instances. If there's a rule preventing ingress traffic to the instance hosting the application, it might not be logged as a denied traffic entry unless logging is explicitly enabled for ingress rules. Since the external resource initiates communication, the traffic would be incoming to the instance hosting the application, and the ingress rules need to allow this traffic. The fact that other instances within the subnet can communicate outside the subnet indicates that the issue is specific to the ingress rules for the instance hosting the application.
upvoted 1 times
...
BenMS
11 months, 2 weeks ago
Selected Answer: C
Ingress (incoming) traffic is logged if it is permitted by an ingress allow firewall rule. Ingress traffic blocked by an implicit deny firewall rule is not logged. https://cloud.google.com/vpc/docs/flow-logs#faq
upvoted 1 times
...
PyNerdy
11 months, 2 weeks ago
Selected Answer: C
Answer is C, The external resource initiates communication , so the traffic is coming from the Outside to Inside which should match the ingress rule. And as it is not matching the ingress rule , it is matching the Implicit deny rule (Which will not be logged).
upvoted 1 times
...
Kyle1776
1 year ago
Selected Answer: D
D is correct The question states "application hosted on a Compute Engine virtual machine instance that cannot communicate with a resource outside of its subnet" Application -> Outside. That is egress traffic. GCP firewall rules are stateful so if there is an outbound rule in place then the return traffic will be allowed.
upvoted 2 times
claudiu25
11 months, 3 weeks ago
"The external resource initiates communication. " -- > the traffic is coming from OUTSIDE to INSIDE ... this it will match an ingress rule
upvoted 4 times
...
...
cacaflycloud
1 year ago
Selected Answer: C
Ingress (incoming) traffic is logged if it is permitted by an ingress allow firewall rule. Ingress traffic blocked by an ingress deny firewall rule is not logged. https://cloud.google.com/vpc/docs/flow-logs#faq
upvoted 2 times
...
didek1986
1 year, 3 months ago
Selected Answer: C
It is C
upvoted 1 times
...
Komal697
1 year, 8 months ago
Selected Answer: D
Option C is incorrect because it states that the traffic is not matching the expected ingress rule, but the question explicitly mentions that all firewall rules are set to log and there are no denied traffic listed in the logs. If the traffic was not matching the expected ingress rule, it would be denied and would appear in the logs. Therefore, option C is not the most likely cause of the missing log lines.
upvoted 1 times
...
pk349
1 year, 10 months ago
C: The traffic is not matching the expected ingress rule; thus, it will fall to the IMPLICIT DENY INGRESS RULE which is never logged. No firewall logs means either it's hitting implied 'Allow all Egress' or 'Deny All Ingress' rule. There are no communication means it's hitting a deny all rule.
upvoted 1 times
...
GCP72
2 years, 3 months ago
Selected Answer: C
its look C is correct for me
upvoted 1 times
...
PurplePanda
2 years, 3 months ago
Selected Answer: C
Not firewall logs means either it's hitting implied 'Allow all Egress' or 'Deny All Ingress' rule. There is no communication means it's hitting a deny all rule.
upvoted 2 times
...
kumarp6
2 years, 10 months ago
Answer is : C
upvoted 3 times
...
desertlotus1211
2 years, 11 months ago
Answer is C: communication is initiated from outside.... Which means it is INGRESSING... VPC flow logs are enabled, too. https://cloud.google.com/vpc/docs/flow-logs 'Ingress packets are sampled after ingress firewall rules. If an ingress firewall rule denies inbound packets, those packets are not sampled by VPC Flow Logs.'
upvoted 2 times
...
JoeShmoe
3 years, 6 months ago
Its C, the traffic is initiated from outside the subnet. It is able to egress so the ingress rule must be failing or is incorrect
upvoted 2 times
...
KDMIndia
3 years, 6 months ago
I would go for Answer : D. As "instance that cannot communicate with a resource outside of its subnet". Which talked about egress traffic.
upvoted 4 times
...
paweu
3 years, 6 months ago
The easier version of EJJ - your trafic that is stopped by basic deny all rule (default one) in firewall is never logged anywhere. Traffic needs to hit some rule to be logged, best way around is to create deny all rule just some spaces higher than default one
upvoted 1 times
...
Load full discussion...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel