Learn how to set up firewall rules in Google Cloud Platform to allow database traffic from application servers to database servers using network tags. Ensure secure communication between subnets with proper firewall configuration.
Table of Contents
Question
You have two subnets (subnet-a and subnet-b) in the default VPC. Your database servers are running in subnet-a. Your application servers and web servers are running in subnet-b. You want to configure a firewall rule that only allows database traffic from the application servers to the database servers. What should you do?
A.
Create service accounts sa-app and sa-db.
Associate service account sa-app with the application servers and the service account sa-db with the database servers.
Create an ingress firewall rule to allow network traffic from source service account sa-app to target service account sa-db.
B.
Create network tags app-server and db-server.
Add the app-server tag to the application servers and the db-server tag to the database servers.
Create an egress firewall rule to allow network traffic from source network tag app-server to target network tag db-server.
C.
Create a service account sa-app and a network tag db-server.
Associate the service account sa-app with the application servers and the network tag db-server with the database servers.
Create an ingress firewall rule to allow network traffic from source VPC IP addresses and target the subnet-a IP addresses.
D.
Create a network tag app-server and service account sa-db.
Add the tag to the application servers and associate the service account with the database servers.
Create an egress firewall rule to allow network traffic from source network tag app-server to target service account sa-db.
Answer
B.
Create network tags app-server and db-server.
Add the app-server tag to the application servers and the db-server tag to the database servers.
Create an egress firewall rule to allow network traffic from source network tag app-server to target network tag db-server.
Explanation
Network tags allow you to apply firewall rules to specific instances based on their assigned tags. By creating tags for application and database servers, you can easily manage firewall rules between them.
An egress rule is required to allow outbound traffic from the application servers to the database servers. The rule should specify the source as the “app-server” network tag and the target as the “db-server” network tag.
The other options are incorrect:
A. Service accounts are used for authentication and authorization, not for firewall rules based on network traffic.
C. Using a combination of service accounts and network tags is incorrect. Additionally, allowing traffic based on subnet IP addresses is too broad and not specific to the application and database servers.
D. Firewall rules cannot use a combination of network tags and service accounts. Service accounts are not applicable in this scenario.
Google Associate Cloud Engineer certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Google Associate Cloud Engineer exam and earn Google Associate Cloud Engineer certification.