GCP Professional Cloud Security Engineer Practice Question
Your company runs a production VPC in the 10.0.0.0/16 range. VM instances that belong to the backend tier carry the network tag backend-svc. Only traffic coming from instances that have the network tag frontend-svc and that is destined for TCP port 8443 must reach the backend tier. All other ingress, including that currently allowed by the default allow-internal rule (priority 65534), must be blocked. Which set of two custom firewall rules satisfies the requirement?
Ingress allow rule: priority 1500, target tag backend-svc, source tag frontend-svc, TCP port 8443; and ingress deny rule: priority 1000, target tag backend-svc, source IP range 0.0.0.0/0, all protocols.
Single egress deny rule: priority 1000, target tag backend-svc, destination IP range 0.0.0.0/0, all protocols, relying on implicit ingress deny for other traffic.
Ingress allow rule: priority 1000, target tag backend-svc, source tag frontend-svc, TCP port 8443; and ingress deny rule: priority 1500, target tag backend-svc, source IP range 0.0.0.0/0, all protocols.
Single ingress allow rule: priority 1000, target tag backend-svc, source IP range 0.0.0.0/0, TCP port 8443, relying on the implicit deny rule for other packets.
Google Cloud evaluates firewall rules by ascending priority value: a lower number is evaluated first. To permit just the required traffic you first create a high-priority (low number) allow rule that matches packets from sources tagged frontend-svc to targets tagged backend-svc on TCP 8443. You then add a second rule with a slightly lower priority number than the first but still higher than 65534 that denies all remaining ingress to targets tagged backend-svc. Because the allow rule is evaluated first, desired traffic is accepted; other packets continue to the deny rule and are dropped before the default allow-internal rule can be considered. Any solution that reverses the priorities, omits the deny rule, or allows 0.0.0.0/0 will either block the required traffic or leave the backend exposed.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is priority important in Google Cloud firewall rules?
Open an interactive chat with Bash
What does the default allow-internal rule do in Google Cloud?
Open an interactive chat with Bash
How is source tagging used in firewall rules?
Open an interactive chat with Bash
What does the priority number in firewall rules signify?
Open an interactive chat with Bash
What is the significance of the network tag in GCP firewall rules?
Open an interactive chat with Bash
Why is the default allow-internal rule (priority 65534) relevant in this setup?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .