GCP Professional Cloud Security Engineer Practice Question
Your organization operates two standalone VPC networks in separate projects: app-vpc hosts Compute Engine instances that act as application servers, while analytics-vpc hosts a stateful MySQL cluster. A VPC Network Peering connection has been created between the two VPCs so that the applications can query the database over TCP port 3306. Security policy states:
Only the application servers may initiate traffic to the database on TCP 3306.
No other protocols or ports may cross the peering link in either direction.
The database servers must never initiate any connection back toward app-vpc.
Which approach satisfies all requirements with the least ongoing operational overhead?
Tag all database VMs with "db" and create an ingress allow rule for tag db on TCP 3306; in app-vpc add an egress deny rule toward analytics-vpc; omit any egress rule in analytics-vpc.
In analytics-vpc create an ingress allow rule for TCP 3306 from the app-vpc subnet, plus an egress deny-all rule from the database subnet to the app-vpc subnet; leave app-vpc with its default firewall rules.
In app-vpc create an ingress allow rule for TCP 3306 from analytics-vpc and an egress allow rule from analytics-vpc to app-vpc; rely on default rules to block everything else.
Replace VPC peering with a Cloud VPN tunnel and advertise only the database subnet route; configure VPN firewall rules to permit TCP 3306 traffic.
Because firewall rules are enforced independently on each side of a VPC peering connection, the simplest way to meet the requirements is to:
In analytics-vpc (where the database VMs live), add a high-priority ingress allow rule limited to TCP 3306 whose source is the RFC 1918 subnet of app-vpc. This lets application servers start MySQL sessions.
Still in analytics-vpc, add a high-priority egress deny rule that targets the database subnet (or the database service account) and uses the destination IP range of app-vpc. This blocks any connection attempts from the databases back to the application VPC.
No additional rules are needed on app-vpc because default egress is allow and default ingress is deny. The other options either place rules on the wrong VPC, rely on unnecessary tagging, or add and maintain extra infrastructure (VPN) that is not required to meet the stated goals.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is VPC Network Peering?
Open an interactive chat with Bash
How do firewall rules work in GCP VPC networks?
Open an interactive chat with Bash
What is RFC 1918 and why is it relevant here?
Open an interactive chat with Bash
Why is an ingress rule needed for analytics-vpc?
Open an interactive chat with Bash
What does an egress deny rule in analytics-vpc achieve?
Open an interactive chat with Bash
Why are no additional rules needed for app-vpc?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .