Exam Professional Cloud Architect topic 1 question 33 discussion

D. refer to target filtering. https://cloud.google.com/solutions/best-practices-vpc-design

Let's go with option elimination A. Add each tier to a different subnetwork >> Adding tiers to different subnets does not prevent or block them from accessing each other. Until specific firewall rules on VM or subnet allow access traffic on a specific port in the rule. B. Set up software-based firewalls on individual VMs >> Not a recommended practice will have to enable firewall anyway. C. Add tags to each tier and set up routes to allow the desired traffic flow >> Can be done but. D. Add tags to each tier and set up firewall rules to allow the desired traffic flow >> Recommended way Hence D

1. Firewall rules for security: Firewall rules provide the most granular and robust control over network traffic. By using tags to identify instances in each tier (web, API, database), you can create firewall rules that explicitly allow or deny traffic between these tiers. 2. Controlling traffic flow: You can create rules that: - Allow traffic from the web tier to the API tier. - Allow traffic from the API tier to the database tier. - Explicitly deny traffic between the web and database tiers. 3. Scalability and Flexibility: This approach works well even when your tiers scale independently. As new instances are added, they inherit the tags and automatically adhere to the defined firewall rules.

D is correct

Routes are typically used for directing traffic between networks rather than within the same network. While tags can be used for identifying resources, they are typically used in conjunction with firewall rules for controlling traffic flow.

Why to implement anything else when Firewall is built-in within VPC and works based on Tags associated with resources.

separate vnet is ruled out as they are on same network.

For me most suitable answer is D

It's D To configure the network so that traffic flows through the web to the API tier and then on to the database tier, but does not flow between the web and the database tier, you can add tags to each tier and set up firewall rules to allow the desired traffic flow. By adding tags to each tier, you can identify the VMs that belong to each tier and create firewall rules that allow traffic between the tiers as needed. For example, you can create a firewall rule that allows traffic from the web tier to the API tier, and another rule that allows traffic from the API tier to the database tier. This will ensure that traffic flows through the desired path and is not allowed between the web and database tiers. Other options, such as adding each tier to a different subnetwork or setting up software-based firewalls on individual VMs, may not provide the necessary level of control over the traffic flow between the tiers. Setting up routes to allow the desired traffic flow may not be sufficient to prevent traffic between the web and database tiers.

D is ok

D is right answer

Having 3-tier web application deployed in the same network is wrong to begin with. However, even in different subnets you will need to apply firewall rules to prevent traffic between selected subnets. In this case they will probably be better of with D.

use firewall rules

A per my comment below .

D is the correct answer

Go for D

From Google practice exam question : D is correct because as instances scale, they will all have the same tag to identify the tier. These tags can then be leveraged in firewall rules to allow and restrict traffic as required, because tags can be used for both the target and source. https://cloud.google.com/vpc/docs/using-vpc https://cloud.google.com/vpc/docs/routes https://cloud.google.com/vpc/docs/add-remove-network-tags