GCP Professional Cloud Security Engineer Practice Question

Your company is deploying a three-tier application in a single VPC. Web-tier instances run in subnet-web, application-tier instances in subnet-app, and MySQL database VMs in subnet-db. Security requires that:

The database tier must accept traffic only from the application tier on TCP port 3306.
Traffic between the application and database tiers must be encrypted in transit, without administrators managing certificates on every VM. Which approach meets both requirements while minimizing operational overhead?

Configure a Cloud VPN tunnel between subnet-app and subnet-db and allow TCP 3306 over the VPN to secure traffic without additional encryption measures.
Move the application and database instances into the same subnet, rely on Google Cloud's default in-transit encryption, and allow all internal traffic within the subnet.
Place the database behind an internal TCP proxy load balancer with an uploaded SSL certificate and permit connections from the application subnet through the load balancer's forwarding rule.
Create an ingress firewall rule that targets the database instances and allows TCP 3306 only from the application tier's service account, then deploy Anthos Service Mesh to both tiers and enforce strict mutual TLS so sidecar proxies transparently encrypt all traffic.

Report Issue

Answer Description

Creating a firewall rule that targets the database VMs and allows ingress only on TCP 3306 from the application tier's service account enforces strict network isolation. Deploying Anthos Service Mesh with mesh-wide strict mutual TLS injects sidecar proxies that automatically obtain and rotate certificates, ensuring all traffic between the application and database tiers is transparently encrypted without manual certificate management.

By contrast, simply placing both tiers in the same subnet and relying on Google Cloud's default in-transit encryption removes tier isolation and still lacks application-layer mutual TLS. Positioning the database behind an internal TCP proxy load balancer secures traffic only up to the load balancer; traffic between the load balancer and the database remains unencrypted unless additional steps are taken. Establishing a Cloud VPN tunnel between two subnets in the same VPC is unsupported and would add unnecessary complexity and key-management overhead. Therefore, combining service-account-based firewall rules with Anthos Service Mesh strict mTLS best satisfies both requirements with minimal operational effort.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.