GCP Professional Cloud Architect Practice Question
Your VPC hosts several Compute Engine instances; the application servers are tagged "app-tier." Compliance requires:
Only the on-prem bastion subnet 192.168.10.0/24 (via Cloud VPN) may SSH to app-tier VMs.
App-tier VMs may send traffic only to 10.16.0.0/16; every other egress destination must be blocked.
Connectivity for all other VMs must remain unchanged. With the fewest additional VPC firewall rules, which configuration meets these requirements?
Delete the default "allow egress 0.0.0.0/0" rule for the VPC, then create an egress allow 10.16.0.0/16 rule and an ingress allow tcp:22 from 192.168.10.0/24 targeted at app-tier instances.
Create an organization-level egress deny 0.0.0.0/0 rule (priority 1000) and a project-level egress allow 10.16.0.0/16 rule; add a single ingress allow tcp:22 from 192.168.10.0/24 for tag app-tier.
For target tag app-tier add exactly four rules:
Egress allow (all protocols) to 10.16.0.0/16, priority 100
Egress deny (all protocols) to 0.0.0.0/0, priority 200
Ingress allow tcp:22 from 192.168.10.0/24, priority 1000
Ingress deny tcp:22 from 0.0.0.0/0, priority 1100 Keep all default VPC rules.
Add three rules for tag app-tier: egress allow 10.16.0.0/16 (priority 100), egress deny 0.0.0.0/0 (priority 200), and ingress allow tcp:22 from 192.168.10.0/24 (priority 1000); rely on default rules for other traffic.
Google Cloud evaluates firewall rules from the lowest numeric priority to the highest and stops at the first match. Because the default ingress rule "allow-ssh" (priority 65534) would still permit SSH from anywhere, a higher-priority deny is needed after a specific allow from the bastion subnet. Likewise, two egress rules are required: an early allow to 10.16.0.0/16 followed by a broader deny to 0.0.0.0/0. Targeting the rules at the "app-tier" tag prevents any effect on other VMs, so four tag-scoped rules (allow + deny for both directions) are the minimal compliant set; deleting or changing default rules would impact other workloads, and omitting the deny-SSH rule would leave the servers exposed.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a VPC in Google Cloud Platform?
Open an interactive chat with Bash
How does priority work in Google Cloud firewall rules?
Open an interactive chat with Bash
What does tagging target resources (like 'app-tier') in firewall rules achieve?
Open an interactive chat with Bash
Why is it necessary to define both allow and deny rules for egress and ingress traffic in this scenario?
Open an interactive chat with Bash
What does the priority of firewall rules mean, and how does it affect traffic flow?
Open an interactive chat with Bash
How do target tags like 'app-tier' help in managing VPC firewall rules?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Designing and planning a cloud solution architecture
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .