GCP Professional Cloud Security Engineer Practice Question
Your company is building a multi-tier e-commerce platform on Google Cloud. The web tier must be reachable from any customer on the public internet, while the application and database tiers must remain isolated from unsolicited inbound traffic and must not expose any routable address space externally. Which configuration meets these requirements with the least operational overhead?
Place the web servers behind an external HTTP(S) load balancer that owns a Google-managed public IP, give the web, app, and database VMs only private RFC 1918 addresses, and use firewall rules to allow traffic from the load balancer to the private tiers.
Assign individual public external IP addresses to the web and application tiers, create firewall rules to block all ports except 443, and deploy Cloud NAT for the database tier.
Give the web and application tiers private IP addresses only, configure Private Google Access, and publish the database tier through Cloud NAT with a reserved static public IP.
Deploy all tiers in a public subnet with auto-assigned external IP addresses and rely on default VPC firewall rules to prevent unwanted inbound access.
Resources that must be reachable from anywhere on the internet need publicly routable external IP addresses or an external load balancer that owns such addresses. Internal tiers that should stay private can use only RFC 1918 addresses inside a VPC subnet. By deploying an external HTTP(S) load balancer (which advertises a Google-owned anycast public IP) in front of web-tier instances that have only private addresses, you avoid assigning individual external IPs to every VM and keep the app and DB tiers on private subnets with no external IPs. Creating firewall rules that allow only load-balancer-originating traffic to the private back-ends and blocking all other ingress enforces the isolation. Alternatives that give the application or database tiers external IPs, or require manual NAT rules for inbound connectivity, would either expose non-internet-facing systems or add unnecessary complexity.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an external HTTP(S) load balancer in GCP?
Open an interactive chat with Bash
What are RFC 1918 addresses?
Open an interactive chat with Bash
How do firewall rules improve security in GCP?
Open an interactive chat with Bash
What are RFC 1918 addresses and why are they used in private networks?
Open an interactive chat with Bash
How does an external HTTP(S) load balancer improve security while operating on Google Cloud?
Open an interactive chat with Bash
What is the role of a firewall in this configuration, and how is it implemented in Google Cloud?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .