Exam Professional Cloud Architect topic 1 question 91 discussion

Should be A, there is no implied deny egress but only implied allow egress https://cloud.google.com/vpc/docs/firewalls#default_firewall_rules Every VPC network has two implied firewall rules. These rules exist, but are not shown in the Cloud Console: The implied allow egress rule: An egress rule whose action is allow, destination is 0.0.0.0/0, and priority is the lowest possible (65535) lets any instance send traffic to any destination, except for traffic blocked by GCP. Outbound access may be restricted by a higher priority firewall rule. Internet access is allowed if no other firewall rules deny outbound traffic and if the instance has an external IP address or uses a NAT instance. Refer to Internet access requirements for more details. The implied deny ingress rule: An ingress rule whose action is deny, source is 0.0.0.0/0, and priority is the lowest possible (65535) protects all instances by blocking incoming traffic to them. Incoming access may be allowed by a higher priority rule. Note that the default network includes some additional rules that override this one, allowing certain types of incoming traffic.

Agree Correct is A. There is no implied deny egress only deny ingress rule

B. Create an egress rule with priority 100 to deny all traffic for all instances. Create another egress rule with priority 1000 to allow the Active Directory traffic for all instances. This option creates a deny all rule with a lower priority and an allow rule with a higher priority. This option will work as intended, as the Active Directory traffic will be allowed and all other outbound traffic will be blocked.

The answer to this question is A. Explanation: To enforce the requirement that all Compute Engine instances in your VPC should be able to connect to an Active Directory server on specific ports while blocking any other traffic emerging from instances, the following two egress rules should be created: Create an egress rule with priority 1000 to deny all traffic for all instances. Create another egress rule with priority 100 to allow the Active Directory traffic for all instances. In this configuration, the rule that allows the AD traffic has a lower priority number than the rule that denies all other traffic. Therefore, this rule should be evaluated first.

It should be A. It cannot be D as The Implied allow egress rule, with its action of “allow”, allows all traffic out to the 0.0. 0.0/0 destination, which basically means everywhere. The priority of the implied allow egress rule is the lowest possible, 65535. The implied deny ingress rule, with an action of “deny”, blocks all incoming connections.

The correct answer is B. To enforce that all Compute Engine instances in a VPC can connect to an Active Directory server on specific ports while blocking any other traffic, you should create an egress rule with a high priority (lower numerical value) to deny all traffic from all instances, and another egress rule with a lower priority (higher numerical value) to allow traffic to the Active Directory server on the specific ports. Option B creates the necessary egress rules in the correct order: a deny-all rule with a high priority (100), followed by an allow rule for the Active Directory traffic with a lower priority (1000). This way, traffic to the Active Directory server is allowed, but all other traffic is denied.

A is ok

It is pretty straight forward question, It this case priority low should be allow and high priority rules deny all requests. A is right

https://cloud.google.com/vpc/docs/firewalls#priority_order_for_firewall_rules

06/30/2022 Exam question.

OT: why is there no way to mark questions for review/repeat later on?

Go for A. While the priority is higher, the egress rule is more restricted. While the priority is higher, the ingress rule is more free.

A is correct answer

to understand rules priority: https://cloud.google.com/vpc/docs/firewalls#priority_order_for_firewall_rules

Vote A

A – create an egress rule with priority 1000 to deny all traffic for all instances. Create another egress rule with priority 100 to allow the Active Directory traffic for all instances. Default Firewall rules (aka implied rules) are following: 1) Egress traffic is allowed to all IP/ports. 2) Ingress traffic is disabled completely. Both these rules have lowest priority (65535) and cannot be removed. https://cloud.google.com/vpc/docs/firewalls#default_firewall_rules

A. Create an egress rule with priority 1000 to deny all traffic for all instances. Create another egress rule with priority 100 to allow the Active Directory traffic for all instances.