Your company has two Compute Engine instance groups in the same VPC: an app tier that runs with the service account "[email protected]" and a web tier that is tagged "web". Only the app-tier VMs and the on-premises CIDR block 10.50.0.0/16 should be able to reach TCP port 8080 on the web-tier instances; all other sources must be blocked. You learn that an ingress Cloud Next Generation Firewall (Cloud NGFW) rule can include only one kind of source filter (either service accounts, network tags, or IP ranges) per rule. What is the most operationally efficient way to meet the requirement?
Create a single ingress rule with source network tag "app" and IP range 10.50.0.0/16 targeting the "web" tag on tcp:8080.
Create a single ingress rule that lists both the source service account "[email protected]" and the source IP range 10.50.0.0/16, targeting the "web" tag on tcp:8080.
Create two ingress rules that both target the "web" tag and allow tcp:8080: (1) a rule whose source service account is "[email protected]" and (2) a rule whose source IP range is 10.50.0.0/16.
Create one ingress rule that allows 0.0.0.0/0 to reach the web-tier service account on tcp:8080 and rely on IAM to restrict access.
Because an ingress Cloud NGFW rule can contain only one type of source condition, you must create two separate rules: one that allows traffic from the app tier's service account to the web-tier tag on TCP port 8080, and another that allows traffic from the on-premises 10.50.0.0/16 CIDR block to the same target. This approach automatically includes any future VMs that use the app-tier service account and avoids opening access more broadly than necessary. Attempting to combine a service account and an IP range in a single rule is not supported. Relying solely on IP ranges or tags would either require manual updates as the app tier scales or fail to identify the correct source. Allowing 0.0.0.0/0 would violate the security requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a CIDR block in networking?
Open an interactive chat with Bash
What are service accounts and why are they used in GCP?
Open an interactive chat with Bash
What is Cloud NGFW and its role in securing resources?
Open an interactive chat with Bash
What is a Cloud NGFW (Next Generation Firewall)?
Open an interactive chat with Bash
What is a service account and how is it used in GCP networking?
Open an interactive chat with Bash
What is the purpose of network tags in Google Cloud firewall rules?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Planning and implementing a cloud solution
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .