Your custom-mode VPC hosts hundreds of VMs. Security sets two rules:
Only VMs tagged "web" must accept TCP 443 from any IPv4 address.
All VMs may send outbound traffic, except VMs tagged "restricted", which must not reach the public internet. You will meet both needs using one hierarchical Cloud NGFW policy attached to the VPC. Which set of firewall policy rules should you configure?
Ingress rule: allow tcp:443 from 0.0.0.0/0 to targets with tag "web" (priority 1000). Egress rule 1: allow all protocols to 0.0.0.0/0 from all instances (priority 900). Egress rule 2: deny all protocols to 0.0.0.0/0 from targets with tag "restricted" (priority 1000).
Ingress rule: deny all protocols from 0.0.0.0/0 to targets without tag "web" (priority 1000); allow tcp:443 from 0.0.0.0/0 to targets with tag "web" (priority 2000). Egress rule: allow all protocols to 0.0.0.0/0 from all instances (priority 1000).
Ingress rule: allow tcp:443 from 0.0.0.0/0 to targets with tag "web" (priority 1000). Egress rule: allow all protocols to 0.0.0.0/0 for all instances (priority 1000). Implicit deny will block restricted VMs on egress.
Ingress rule: allow tcp:443 from 0.0.0.0/0 to targets with tag "web" (priority 1000). Egress rule 1: deny all protocols to 0.0.0.0/0 from targets with tag "restricted" (priority 900). Egress rule 2: allow all protocols to 0.0.0.0/0 from all instances (priority 1000).
A single ingress rule that allows tcp:443 from 0.0.0.0/0 to targets tagged "web" satisfies the first requirement, because all other ingress traffic is implicitly denied by the default policy rule that has lower priority. For the second requirement, one egress rule that denies 0.0.0.0/0 from targets tagged "restricted" must have higher priority than another egress rule that allows 0.0.0.0/0 from all instances. Using priorities this way ensures that traffic from "restricted" VMs is blocked while all other VMs are permitted to reach the internet, and it requires only three explicit rules in total. The other answer sets either allow unwanted ingress, fail to block the restricted egress, or mis-order the priorities so the deny never takes effect.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does 0.0.0.0/0 mean in firewall rules?
Open an interactive chat with Bash
How does priority affect hierarchical firewall rules in GCP?
Open an interactive chat with Bash
What is a hierarchical Cloud NGFW policy in GCP?
Open an interactive chat with Bash
What is a hierarchical Cloud NGFW policy?
Open an interactive chat with Bash
How does priority work in firewall rules in GCP?
Open an interactive chat with Bash
What happens with implicit default rules in GCP firewall?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Planning and implementing a cloud solution
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .