Learn the best practice for deploying a new externally-facing application in Google Cloud while maintaining effective security isolation from internal systems. Discover how to use VPC Network Peering to access necessary resources in internal projects.
Table of Contents
Question
You manage multiple internal-only applications that are hosted within different Google Cloud projects. You are deploying a new application that requires external internet access. To maintain security, you want to clearly separate this new application from internal systems. Your solution must have effective security isolation for the new externally-facing application. What should you do?
A. Deploy the application within the same project as an internal application. Use a Shared VPC model to manage network configurations.
B. Place the application in the same project as an existing internal application, and adjust firewall rules to allow external traffic.
C. Create a VPC Service Controls perimeter, and place the new application’s project within that perimeter.
D. Create a new project for the application, and use VPC Network Peering to access necessary resources in the internal projects.
Answer
D. Create a new project for the application, and use VPC Network Peering to access necessary resources in the internal projects.
Explanation
When deploying a new application that requires external internet access, it is crucial to maintain a clear separation between the externally-facing application and internal systems to ensure effective security isolation. Creating a new project specifically for the externally-facing application is the best approach.
By placing the new application in a separate project, you can implement granular access controls and security policies tailored to the specific needs of the externally-facing application. This isolation helps prevent potential security breaches from impacting your internal applications and resources.
To enable the externally-facing application to access necessary resources in the internal projects, you should use VPC Network Peering. VPC Network Peering allows private connectivity between two VPC networks, enabling resources in different projects to communicate with each other securely and efficiently. This approach maintains the desired security isolation while still allowing the externally-facing application to access required internal resources.
Options A and B, which suggest deploying the application within the same project as an internal application, are not recommended. This approach would not provide the desired security isolation and could potentially expose internal systems to external threats.
Option C, which involves creating a VPC Service Controls perimeter and placing the new application’s project within that perimeter, is not the most suitable solution for this scenario. While VPC Service Controls can help enforce security policies, it is primarily used for controlling data exfiltration and access to Google Cloud resources. It does not address the need for separating the externally-facing application from internal systems.
In summary, creating a new project for the externally-facing application and using VPC Network Peering to access necessary internal resources is the best approach to maintain effective security isolation while still enabling the required connectivity.
Google Professional Cloud Security Engineer certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Google Professional Cloud Security Engineer exam and earn Google Professional Cloud Security Engineer certification.