GCP Professional Cloud Security Engineer Practice Question
In your production VPC, all VM instances now have external access blocked by default. Only the batch-processing group (instances tagged updater) should be able to fetch software from public repositories on the internet; every other instance must be prevented from initiating outbound connections. Which combination of Cloud VPC firewall rules satisfies this requirement while following principle of least privilege?
Create an egress allow rule to 0.0.0.0/0 with priority 50 that targets the updater tag, and an egress deny rule to 0.0.0.0/0 with priority 100 that targets all instances.
Create an ingress deny rule (priority 100) for 0.0.0.0/0 that targets all instances, and an egress allow rule (priority 50) to 0.0.0.0/0 for the updater tag.
Create an egress allow rule to 0.0.0.0/0 with priority 2000 that targets the updater tag, and an egress deny rule to 0.0.0.0/0 with priority 1000 that targets all instances.
Create a single egress deny rule (priority 1000) that blocks 0.0.0.0/0 for all instances, and rely on Cloud NAT to let updater-tagged VMs connect.
A lower priority number means the rule is evaluated first. By creating an egress allow rule with a priority of 50 that targets only instances tagged updater, those VMs are matched and traffic is permitted. The subsequent rule with priority 100 denies egress to 0.0.0.0/0 for every instance, so all traffic from non-tagged VMs is blocked. NAT does not bypass firewall rules, and an ingress rule would not control outbound connections, so the other options fail to meet the requirement.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the principle of least privilege in cloud security?
Open an interactive chat with Bash
How does priority work in Cloud VPC firewall rules?