ExamTopics Logo
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud Network Engineer All Questions

View all questions & answers for the Professional Cloud Network Engineer exam
Go to Exam

Exam Professional Cloud Network Engineer topic 1 question 141 discussion

Actual exam question from Google's Professional Cloud Network Engineer
Question #: 141
Topic #: 1
[All Professional Cloud Network Engineer Questions]

Your organization is implementing a new security policy to control how firewall rules are applied to control flows between virtual machines (VMs). Using Google-recommended practices, you need to set up a firewall rule to enforce strict control of traffic between VM A and VM B. You must ensure that communications flow only from VM A to VM B within the VPC, and no other communication paths are allowed. No other firewall rules exist in the VPC. Which firewall rule should you configure to allow only this communication path?

  • A. Firewall rule direction: ingress

    Action: allow -

    Target: VM B service account -
    Source ranges: VM A service account
    Priority: 1000
  • B. Firewall rule direction: ingress

    Action: allow -

    Target: specific VM B tag -
    Source ranges: VM A tag and VM A source IP address
    Priority: 1000
  • C. Firewall rule direction: ingress

    Action: allow -

    Target: VM A service account -
    Source ranges: VM B service account and VM B source IP address
    Priority: 100
  • D. Firewall rule direction: ingress

    Action: allow -

    Target: specific VM A tag -
    Source ranges: VM B tag and VM B source IP address
    Priority: 100
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by nosense at Dec. 2, 2022, 12:05 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
pfilourenco
Highly Voted 1 year, 4 months ago
Selected Answer: A
changing to A. If we follow what the documentation say's, A is the correct: "If you need strict control over how firewall rules are applied to VMs, use target service accounts and source service accounts instead of target tags and source tags" https://cloud.google.com/vpc/docs/firewalls#service-accounts-vs-tags
upvoted 6 times
...
ian_gcpca
Most Recent 3 months, 3 weeks ago
Selected Answer: B
A & B can be correct depending on what you really need but in real-life scenario, we don't usually use SA for firewall.
upvoted 1 times
ian_gcpca
3 months, 2 weeks ago
changing to A -- https://cloud.google.com/firewall/docs/firewalls#service-accounts-vs-tags "If you need strict control over how firewall rules are applied to VMs, use target service accounts and source service accounts instead of target network tags and source network tags"
upvoted 1 times
...
...
Thornadoo
8 months ago
Selected Answer: A
A is correct here since Only one service account can be associated with an instance per https://cloud.google.com/vpc/docs/firewalls#service-accounts-vs-tags. Though technically it will work with Tags if you have only one VM associated with that tag, however, in practicality someone can exploit that by using the same tag for another VM. A is pretty much well defined (whereas with tags, you will need source & dest IPs too)
upvoted 1 times
...
didek1986
8 months, 2 weeks ago
Selected Answer: A
Use SA for rules
upvoted 1 times
...
conip
1 year, 2 months ago
Selected Answer: A
• You cannot mix and match service accounts and network tags in any firewall rule:
upvoted 2 times
...
pk349
1 year, 3 months ago
A. Firewall rule direction: ingress Action: allow - Target: VM B service account - Source ranges: VM A service account Priority: 1000
upvoted 1 times
...
pfilourenco
1 year, 4 months ago
Selected Answer: B
Using Google-recommended practices B is the correct. tags vs service account's. The answer is saying that we have 2 source filters(x and y) and not the AND/OR logic.
upvoted 3 times
ccieman2016
1 year, 4 months ago
Sorry, I think A is correct, if you select B, VM A and others vm inside address space get connectivity to VMB
upvoted 1 times
pfilourenco
1 year, 4 months ago
Anyway it is difficult to say if A or B is more correct, since we can apply the same SA to different Computers, also, the same with tags.
upvoted 1 times
pfilourenco
1 year, 4 months ago
If we follow what the documentation say's, A is the correct: "If you need strict control over how firewall rules are applied to VMs, use target service accounts and source service accounts instead of target tags and source tags" https://cloud.google.com/vpc/docs/firewalls#service-accounts-vs-tags
upvoted 3 times
pfilourenco
1 year, 4 months ago
But for this we need different SA's per compute...
upvoted 1 times
...
...
...
pfilourenco
1 year, 4 months ago
"VM A source IP address", you can select /32, and not all the subnet range.
upvoted 1 times
...
...
...
ccieman2016
1 year, 4 months ago
Selected Answer: A
A) Correct, to provider only flow between VMs from A. B) Wrong, second filter logic is OR operator. “Set additional filters to apply your rule to specific sources of traffic. The filter logic is "Source filter" OR "Second source filter” C and D) wrong, target should be VM B.
upvoted 3 times
nosense
1 year, 4 months ago
What's the point of using a service account?
upvoted 2 times
...
...
al_zo
1 year, 4 months ago
Selected Answer: B
The questions says traffic allowed from VM-A (source) to VM-B (target).
upvoted 1 times
al_zo
1 year, 4 months ago
Sorry I believe the correct answer is A: "If you need strict control over how firewall rules are applied to VMs, use target service accounts and source service accounts instead of target tags and source tags" https://cloud.google.com/vpc/docs/firewalls#service-accounts-vs-tags
upvoted 4 times
...
...
Pelull
1 year, 4 months ago
I think is B, D is wrong side
upvoted 1 times
...
nosense
1 year, 4 months ago
Selected Answer: D
I think D is right a-c no sense to use service acc b - is wrong
upvoted 1 times
nosense
1 year, 4 months ago
I was wrong, b is correct
upvoted 1 times
...
ccieman2016
1 year, 4 months ago
wrong man. read again question and tested in your lab pls.
upvoted 3 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago