Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud Security Engineer All Questions

View all questions & answers for the Professional Cloud Security Engineer exam
Go to Exam

Exam Professional Cloud Security Engineer topic 1 question 122 discussion

Actual exam question from Google's Professional Cloud Security Engineer
Question #: 122
Topic #: 1
[All Professional Cloud Security Engineer Questions]

Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements:
✑ Only allows communication between the Web and App tiers.
✑ Enforces consistent network security when autoscaling the Web and App tiers.
✑ Prevents Compute Engine Instance Admins from altering network traffic.
What should you do?

  • A. 1. Configure all running Web and App servers with respective network tags. 2. Create an allow VPC firewall rule that specifies the target/source with respective network tags.
  • B. 1. Configure all running Web and App servers with respective service accounts. 2. Create an allow VPC firewall rule that specifies the target/source with respective service accounts.
  • C. 1. Re-deploy the Web and App servers with instance templates configured with respective network tags. 2. Create an allow VPC firewall rule that specifies the target/source with respective network tags.
  • D. 1. Re-deploy the Web and App servers with instance templates configured with respective service accounts. 2. Create an allow VPC firewall rule that specifies the target/source with respective service accounts.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by KillerGoogle at May 11, 2022, 3:54 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
KillerGoogle
Highly Voted 2 years, 6 months ago
D https://cloud.google.com/vpc/docs/firewalls#service-accounts-vs-tags
upvoted 15 times
...
csrazdan
Highly Voted 1 year, 12 months ago
Selected Answer: D
The requirement can be fulfilled by both network tags and service accounts. To update both compute instances will have to be stopped. That means options A and B are out. Option C is out because Compute Engine Instance Admins can change network tags and avoid firewall rules. Deployment has to be done based on the instance template so that no configuration can be changed to divert the traffic.
upvoted 8 times
...
Sundar_Pichai
Most Recent 2 months, 4 weeks ago
Selected Answer: D
It's D because of it's use of auto-scaling. If autoscaling wasn't part of the question, then B would have been suitable. It can't be network level tags because admins can change those.
upvoted 1 times
...
Ric350
1 year, 8 months ago
Can you create an instance template with a service account? How do you automate that and how does it name the service accounts for each new instance??
upvoted 1 times
TNT87
1 year, 8 months ago
You can set up a new instance to run as a service account through the Google Cloud console, the Google Cloud CLI, or directly through the API. Go to the Create an instance page. Specify the VM details. In the Identity and API access section, choose the service account you want to use from the drop-down list. https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances
upvoted 2 times
...
...
AzureDP900
2 years ago
D is right
upvoted 1 times
...
risc
2 years, 1 month ago
This depends on what is meant by "re-deploy"? Service accounts can also be changed by simply stopping the VM and starting it again once the SA was changed. Is this already a re-deploy?
upvoted 3 times
...
AwesomeGCP
2 years, 1 month ago
Selected Answer: D
D. 1. Re-deploy the Web and App servers with instance templates configured with respective service accounts. 2. Create an allow VPC firewall rule that specifies the target/source with respective service accounts.
upvoted 1 times
...
zellck
2 years, 1 month ago
Selected Answer: D
D is the answer. https://cloud.google.com/vpc/docs/firewalls#service-accounts-vs-tags A service account represents an identity associated with an instance. Only one service account can be associated with an instance. You control access to the service account by controlling the grant of the Service Account User role for other IAM principals. For an IAM principal to start an instance by using a service account, that principal must have the Service Account User role to at least use that service account and appropriate permissions to create instances (for example, having the Compute Engine Instance Admin role to the project).
upvoted 2 times
...
cloudprincipal
2 years, 5 months ago
Selected Answer: D
Agreed, it has to be D https://cloud.google.com/vpc/docs/firewalls#service-accounts-vs-tags
upvoted 2 times
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel