Exam Professional Cloud Security Engineer topic 1 question 163 discussion

Please separate answers D & E so it's less confusing

All VM instances are missing the respective network tags + A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 999

A This scenario would bypass the tag-based firewall rules you've implemented. If VMs lack the intended tags, the firewall rules wouldn't be able to identify and filter traffic based on those tags.

Answers A,D

Remember you can ONLY use EITHER service account or tags to filter traffic. You cannot mix. https://medium.com/google-cloud/gcp-cloud-vpc-firewall-with-service-accounts-9902661a4021#:~:text=VPC%20firewall%20rules%20let%20you,on%20a%20per%2Dinstance%20basis. Answers A,D

A, D Either the VMs are not tagged properly or there's another firewall rule that takes precedence.

D is the only answer

How is D even an option and considered? The question itself clearly states "All your VM instances are deployed WITHOUT any service account customization." That means the firewall rule would NOT let any traffic through as there's no SA on the vm's to apply the rule. A is a likely scenario and could easily be overlooked when deploying. B is very unlikely and one big flat network. C is also likely due to admin mistake and overlooking like A. I'd go with A and C as the answer here. Unless I'm interpreting it wrong or missing something here.

A. All VM instances are missing the respective network tags. D. A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 999. If all the VM instances in your Google Cloud environment are able to communicate freely despite tag-based VPC firewall rules in place, it is likely that the instances are missing the necessary network tags. Without the appropriate tags, the firewall rules will not be able to properly segment the traffic. Another possible reason for this behavior could be the existence of a VPC firewall rule that allows traffic between source and target instances based on the same service account, with a priority of 999. This rule would take precedence over the tag-based firewall rules with a priority of 1000. It is unlikely that all the VM instances are residing in the same network subnet or configured with the same network route, or that there is a VPC firewall rule allowing traffic with a priority of 1001.

I hit this question on the real exam. It supposed to choose TWO answers. I would pick CD as my answer. A: WRONG. The question already stated "despite tag-based VPC firewall rules in place to segment traffic properly -- with a priority of 1000" so network tags are already in-place. B: WRONG. The customer could set default network across the globe, and then VMs inside one region subnet could ping VMs inside another region subnet. C: CORRECT. D: CORRECT. E: WRONG. Firewall rules with higher priority shall have less than 1000 as the question stated.

I hit this question. It supposed to select TWO answers. I would say Option D definitely would be the right answer. The rest one I no idea.

D: a 999 will overwrite 1000

The answer is D

1001 is lower priority

D. priority 999 is a higher priority than 1000, so if 999 has allow all policy then any deny policy with lower priority will not be applied.

C. All VM instances are configured with the same network route.

maybe A . any idea please.