GCP Professional Cloud Architect Practice Question

Your company uses a global external HTTP(S) load balancer whose back-end instances will be created from an instance template. The VMs must run in the existing custom VPC "retail-prod" and the regional subnet "frontend-us" (10.10.20.0/24, us-central1). Only these connections should reach the VMs:

TCP 80 from 35.191.0.0/16 and 130.211.0.0/22 (the load balancer)
TCP 22 from 192.168.10.0/24 (on-prem admin subnet) All other inbound traffic must remain blocked automatically, even when new instances are auto-scaled. Which design meets the requirements while minimizing ongoing firewall maintenance?

Use the default VPC and rely on a startup script in the instance template to configure iptables to open ports 80 and 22; do not create any new Google Cloud firewall rules.
Define two ingress firewall rules in "retail-prod": one allowing tcp:80 from 35.191.0.0/16 and 130.211.0.0/22, and one allowing tcp:22 from 192.168.10.0/24. Both rules target instances with the network tag "frontend". In the instance template, specify network "retail-prod", subnet "frontend-us", and add the "frontend" tag so every VM automatically receives the correct access.
Attach the instances to "retail-prod/frontend-us" and configure Cloud NAT for egress. Skip all custom firewall rules because Cloud NAT blocks unsolicited inbound traffic by default.
Create two firewall rules that allow tcp:80 and tcp:22 from 0.0.0.0/0 to the subnet "frontend-us". Depend on each VM's operating-system firewall to reject unwanted sources.

Report Issue

Answer Description

Creating the VMs in a custom VPC means they receive no default ingress rules, so explicit rules are required. Two narrowly scoped firewall rules targeted by a network tag applied in the instance template satisfy least-privilege access:

Allow tcp:80 from the load balancer's published source ranges to targets tagged "frontend".
Allow tcp:22 from the on-prem admin subnet to the same tag. Because firewall evaluation ends when a matching allow rule is found and the implicit deny remains in force for all other traffic, no extra rules are needed. Assigning the tag in the template ensures every auto-scaled VM inherits the correct network, subnetwork, and firewall posture without manual intervention.

Alternative answers either rely on OS-level filtering, overly permissive 0.0.0.0/0 rules, or Cloud NAT (which does not control ingress), so they fail to meet the security and maintenance requirements.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.