ExamTopics Logo
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud Security Engineer All Questions

View all questions & answers for the Professional Cloud Security Engineer exam
Go to Exam

Exam Professional Cloud Security Engineer topic 1 question 87 discussion

Actual exam question from Google's Professional Cloud Security Engineer
Question #: 87
Topic #: 1
[All Professional Cloud Security Engineer Questions]

You have an application where the frontend is deployed on a managed instance group in subnet A and the data layer is stored on a mysql Compute Engine virtual machine (VM) in subnet B on the same VPC. Subnet A and Subnet B hold several other Compute Engine VMs. You only want to allow the application frontend to access the data in the application's mysql instance on port 3306.
What should you do?

  • A. Configure an ingress firewall rule that allows communication from the src IP range of subnet A to the tag "data-tag" that is applied to the mysql Compute Engine VM on port 3306.
  • B. Configure an ingress firewall rule that allows communication from the frontend's unique service account to the unique service account of the mysql Compute Engine VM on port 3306.
  • C. Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet B. Then configure an egress firewall rule that allows communication from Compute Engine VMs tagged with data-tag to destination Compute Engine VMs tagged fe- tag.
  • D. Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet B. Then configure an ingress firewall rule that allows communication from Compute Engine VMs tagged with fe-tag to destination Compute Engine VMs tagged with data-tag.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by Rantu at Oct. 8, 2020, 6:54 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Zuy01
Highly Voted 3 years, 2 months ago
B for sure, u can check this : https://cloud.google.com/sql/docs/mysql/sql-proxy#using-a-service-account
upvoted 11 times
...
dija123
Most Recent 7 months, 1 week ago
Selected Answer: B
Agree with B
upvoted 1 times
...
Xoxoo
1 year, 1 month ago
Selected Answer: B
This approach ensures that only the application frontend can access the data in the MySQL instance, while all other Compute Engine VMs in subnet A and subnet B are restricted from accessing it . By configuring an ingress firewall rule that allows communication between the frontend’s unique service account and the unique service account of the MySQL Compute Engine VM, you can ensure that only authorized users can access your MySQL instance .
upvoted 2 times
...
GCBC
1 year, 2 months ago
B Firellas rules using service account is better than tag
upvoted 2 times
...
[Removed]
1 year, 3 months ago
Selected Answer: B
"B" I believe the answer is between B and A since part of the requirement is specifying the port. B is more correct since it leverages service accounts which is best practice for authentication/communication between application and database. Also, answer "A" allows ALL instances in the subnet to reach to reach mysql which is not desired. They only want the specific Frontend instances to reach excluding other instances in the subnet. https://cloud.google.com/firewall/docs/firewalls#best_practices_for_firewall_rules
upvoted 3 times
...
AwesomeGCP
2 years ago
Selected Answer: B
B. Configure an ingress firewall rule that allows communication from the frontend’s unique service account to the unique service account of the mysql ComputeEngine VM on port 3306.
upvoted 3 times
...
JoseMaria111
2 years, 1 month ago
B is correct.firellas rules using service account is better than tag based. https://cloud.google.com/vpc/docs/firewalls#best_practices_for_firewall_rules
upvoted 2 times
...
mT3
2 years, 5 months ago
Selected Answer: B
Ans : B
upvoted 4 times
...
major_querty
2 years, 11 months ago
why is it not a? a seems straight forward The link which Zuy01 provided for answer b states: For this reason, using a service account is the recommended method for production instances NOT running on a Compute Engine instance.
upvoted 4 times
Loved
1 year, 11 months ago
But answer A says "communication from the src IP range of subnet A"... this rules include all the instances on subnet A, while you have to consider only the frontend
upvoted 1 times
...
Arturo_Cloud
2 years, 1 month ago
I agree (A), it is planned to limit a MySQL server in Compute Engine (IaaS) not in Cloud SQL (PaaS), so Networks Tags is the most common and recommended to use. Don't get confused with the services....
upvoted 2 times
...
...
DebasishLowes
3 years, 7 months ago
Ans : B
upvoted 2 times
...
dtmtor
3 years, 7 months ago
ans is B
upvoted 2 times
...
[Removed]
3 years, 12 months ago
Ans - B
upvoted 4 times
...
Rantu
4 years ago
B is correct
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago