Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud Network Engineer All Questions

View all questions & answers for the Professional Cloud Network Engineer exam
Go to Exam

Exam Professional Cloud Network Engineer topic 1 question 121 discussion

Actual exam question from Google's Professional Cloud Network Engineer
Question #: 121
Topic #: 1
[All Professional Cloud Network Engineer Questions]

In your project my-project, you have two subnets in a Virtual Private Cloud (VPC): subnet-a with IP range 10.128.0.0/20 and subnet-b with IP range 172.16.0.0/24. You need to deploy database servers in subnet-a. You will also deploy the application servers and web servers in subnet-b. You want to configure firewall rules that only allow database traffic from the application servers to the database servers. What should you do?

  • A. Create network tag app-server and service account [email protected]. Add the tag to the application servers, and associate the service account with the database servers. Run the following command: gcloud compute firewall-rules create app-db-firewall-rule \
    --action allow \
    --direction ingress \
    --rules top:3306 \
    --source-tags app-server \
    --target-service-accounts sa-db@my-
    project.iam.gserviceaccount.com
  • B. Create service accounts [email protected] and [email protected]. Associate service account sa-app with the application servers, and associate the service account sa-db with the database servers. Run the following command: gcloud compute firewall-rules create app-db-firewall-ru
    --allow TCP:3306 \
    --source-service-accounts sa-app@democloud-idp-
    demo.iam.gserviceaccount.com \
    --target-service-accounts sa-db@my-
    project.iam.gserviceaccount.com
  • C. Create service accounts [email protected] and [email protected]. Associate the service account sa-app with the application servers, and associate the service account sa-db with the database servers. Run the following command: gcloud compute firewall-rules create app-db-firewall-ru
    --allow TCP:3306 \
    --source-ranges 10.128.0.0/20 \
    --source-service-accounts sa-app@my-
    project.iam.gserviceaccount.com \
    --target-service-accounts sa-db@my-
    project.iam.gserviceaccount.com
  • D. Create network tags app-server and db-server. Add the app-server tag to the application servers, and add the db-server tag to the database servers. Run the following command: gcloud compute firewall-rules create app-db-firewall-rule \
    --action allow \
    --direction ingress \
    --rules tcp:3306 \
    --source-ranges 10.128.0.0/20 \
    --source-tags app-server \
    --target-tags db-server
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by ccieman2016 at Dec. 3, 2022, 12:46 p.m.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
ccieman2016
Highly Voted 1 year, 11 months ago
Selected Answer: B
C and D is wrong, source address can be subnet-b (172.16.0.0/24) A is wrong, syntax error. B is correct, https://cloud.google.com/sdk/gcloud/reference/compute/firewall-rules/create
upvoted 8 times
pfilourenco
1 year, 11 months ago
A is wrong because you can't have source tags and destination SA's.
upvoted 1 times
...
playpacman
1 year, 11 months ago
agreed, as you said src is wrong, hence only B is valid, even its an odd option.
upvoted 2 times
...
AzureDP900
1 year, 11 months ago
Agreed , B is right
upvoted 1 times
...
...
netmaster81
Most Recent 2 months, 2 weeks ago
Selected Answer: A
Hi, Even though option A has a Typo error, I think it is the best choice since we can't create a firewall policy with Source-service-account.
upvoted 1 times
...
Kev_Ab
7 months, 2 weeks ago
I don't understand this question. A) Doesn't work as you can't mix tags + service accounts on a firewall rule. B) Doesn't work as the SA indicated as source in the gcloud command doesn't exist: source-service-accounts [email protected] + TCP:3306 doesn't work, it must be with minus tcp:3306. C) Doesn't work as source-ranges should be 172.16.0.0/24 and NOT 10.128.0.0/20 + TCP:3306 doesn't work, it must be with minus tcp:3306. D) Doesn't work as source-ranges should be 172.16.0.0/24 and NOT 10.128.0.0/20. So, if I had to choose one, I would choose B), but it's not properly written.
upvoted 1 times
...
pk349
1 year, 10 months ago
• B. Create service accounts [email protected] and [email protected]. Associate service account sa-app with the application servers, and associate the service account sa-db with the database servers. Run the following command: gcloud compute firewall-rules create app-db-firewall-ru --allow TCP:3306 \ --source-service-accounts sa-app@democloud-idp- demo.iam.gserviceaccount.com \ --target-service-accounts sa-db@my- project.iam.gserviceaccount.com
upvoted 3 times
desertlotus1211
9 months ago
look at the source service account: source-service-accounts sa-app@democloud-idp- demo.iam.gserviceaccount.com \ It's wrong
upvoted 1 times
...
...
TD24
1 year, 11 months ago
Selected Answer: B
B is the only choice. Service Accounts and Tags are mutually exclusive and can't be combined in the same firewall rule. You cannot specify both service accounts and tags in the same rule. https://cloud.google.com/vpc/docs/using-firewalls#gcloud_5
upvoted 3 times
...
Zek
1 year, 11 months ago
B is correct. Looks like you can't combine tags and service account See https://cloud.google.com/sdk/gcloud/reference/compute/firewall-rules/create. --source-service-accounts=EMAIL,[EMAIL,…] The email of a service account indicating the set of instances on the network which match a traffic source in the firewall rule. If a source service account is specified then neither source tags nor target tags can also be specified.
upvoted 1 times
...
pfilourenco
1 year, 11 months ago
Selected Answer: B
B is the correct, source address can only be subnet-b (172.16.0.0/24) and A is wrong because you can't have source tags and destination SA's.
upvoted 2 times
...
pfilourenco
1 year, 11 months ago
Selected Answer: D
D is correct!
upvoted 1 times
pfilourenco
1 year, 11 months ago
B is the correct, source address can only be subnet-b (172.16.0.0/24)
upvoted 2 times
...
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel