ISC2 Certified Cloud Security Professional (CCSP) Practice Question
A cloud service provider is designing a new multitenant IaaS data center. Each rack contains hypervisors that will host virtual machines from many different customers on the same top-of-rack switches. To keep the hypervisor service consoles reachable only by the provider's operations team and to eliminate any possibility of tenant traffic reaching the management plane, which design choice best satisfies this requirement?
Create a single shared management VLAN that both providers and tenants can join, securing it with port-security limits on the switch.
Deploy a physically separate out-of-band management network, using dedicated switch ports, private VLANs or VRFs, and firewalls that allow access only from the operations subnet.
Rely on role-based access control in the hypervisor management application and allow the interfaces to remain reachable from every tenant network.
Place the management interfaces in the same VLAN as tenant storage traffic but protect each hypervisor with a host-based firewall.
The most effective way to keep the hypervisor management plane isolated from tenant networks is to place every host's management interface on a physically separate, out-of-band management network. Combining the dedicated cabling with private VLANs (or VRFs) and tight firewall/ACL rules that allow traffic only from the operations subnet prevents tenant packets from ever entering the management segment, blocking both accidental access and lateral movement.
Putting the interfaces in a tenant-accessible VLAN, even with host firewalls, still exposes them if the hypervisor or firewall is misconfigured or compromised. Relying solely on RBAC without any network isolation leaves the management ports reachable from all customer networks. A shared management VLAN that tenants can join suffers from similar exposure and is vulnerable to VLAN-hopping or misconfiguration. Only the out-of-band, access-controlled network provides true logical separation at the network layer, meeting the stated objective.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an out-of-band management network?
Open an interactive chat with Bash
What are private VLANs (PVLANs) and VRFs, and how do they enhance security in this scenario?
Open an interactive chat with Bash
How do firewalls and ACL rules protect the management network?
Open an interactive chat with Bash
ISC2 Certified Cloud Security Professional (CCSP)
Cloud Platform & Infrastructure Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .