ISC2 Certified Cloud Security Professional (CCSP) Practice Question
A cloud provider is designing a new private IaaS data center that will host multiple customers who may use the same RFC 1918 address space. Security policy states that if a hypervisor or virtual switch is compromised, an attacker must still be unable to sniff or inject traffic into another tenant's network. Which network segmentation approach best satisfies these requirements during the logical design phase?
Create a dedicated VRF for each tenant and transport it across the fabric with a VXLAN overlay.
Assign a unique IEEE 802.1Q VLAN to each tenant and trunk those VLANs throughout the data center.
Rely on hypervisor security groups to filter inter-tenant traffic on every virtual switch port.
Use a single shared network while enforcing strict role-based access control in the cloud management plane.
Virtual Routing and Forwarding (VRF) instances carried over an overlay such as VXLAN create completely separate routing tables for each tenant. Because every VRF is isolated at Layer 3, overlapping IP prefixes are allowed and traffic is kept logically separate all the way to the physical fabric, not just inside the hypervisor. Even if a vSwitch is compromised, packets cannot cross VRF boundaries. Per-VLAN segmentation provides only Layer 2 isolation and still shares the same forwarding table; it also cannot cope with overlapping addresses at scale. Hypervisor security groups rely on the host software that is assumed potentially hostile in this scenario, and RBAC controls the control plane but does not isolate data traffic.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a VRF and how does it isolate networks?
Open an interactive chat with Bash
What is VXLAN and how does it work with VRFs?
Open an interactive chat with Bash
Why is per-VLAN segmentation insufficient for multi-tenant isolation?
Open an interactive chat with Bash
What is VRF and how does it ensure network isolation?
Open an interactive chat with Bash
What is VXLAN and why is it used with VRF?
Open an interactive chat with Bash
Why are VLANs not sufficient for tenant isolation?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Platform & Infrastructure Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .