GCP Associate Cloud Engineer Practice Question

You created a custom-mode VPC network named prod-net for a new application. Two regional subnets exist: 10.10.0.0/24 in us-central1 and 10.20.0.0/24 in us-east1. Instances in each subnet have outbound internet connectivity but cannot ping each other over their internal IPs. You must enable all internal traffic between the subnets while keeping any incoming traffic from the internet blocked. Which single firewall rule should you create?

Create an egress firewall rule in prod-net that allows all protocols to 10.0.0.0/8 with priority 65534.
Create an ingress firewall rule in prod-net that allows all protocols from 0.0.0.0/0 with priority 1000.
Create an ingress firewall rule in prod-net that allows all protocols from 10.0.0.0/8 with priority 65534.
Create an egress firewall rule in prod-net that allows all protocols to 0.0.0.0/0 with priority 1000.

Report Issue

Answer Description

A custom-mode VPC starts with only the two implied rules: allow-egress (priority 65535) and deny-ingress (priority 65535). Because the deny rule applies to all ingress traffic, even packets whose source is another subnet in the same network are blocked. To enable internal communication you need an ingress rule that explicitly allows traffic whose source is the network's private address space (for example 10.0.0.0/8, which includes both subnets). Any priority number lower than 65535 overrides the implied deny rule; 65534 is sufficient. An egress rule is unnecessary because egress is already allowed, and using 0.0.0.0/0 as the source would open the network to the public internet.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.