All Compute Engine instances in your VPC should be able to connect to an Active Directory server on specific ports.
Any other traffic emerging from your instances is not allowed.
You want to enforce this using VPC firewall rules.
How should you configure the firewall rules?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
To enforce the requirement of allowing only Compute Engine instances in your VPC to connect to an Active Directory server on specific ports and block all other traffic, you need to create VPC firewall rules.
There are two types of firewall rules in VPC - Ingress rules and Egress rules. Ingress rules control the incoming traffic to your instances, while egress rules control the outgoing traffic from your instances.
In this scenario, since we need to allow outbound traffic to connect to the Active Directory server and block all other outbound traffic, we will create an egress rule.
Option A: Create an egress rule with priority 1000 to deny all traffic for all instances. Create another egress rule with priority 100 to allow the Active Directory traffic for all instances.
This option creates a deny all rule with a higher priority and an allow rule with a lower priority. The problem with this option is that the deny all rule with a higher priority will be evaluated first, and all traffic from instances will be blocked, including the Active Directory traffic.
Option B: Create an egress rule with priority 100 to deny all traffic for all instances. Create another egress rule with priority 1000 to allow the Active Directory traffic for all instances.
This option creates a deny all rule with a lower priority and an allow rule with a higher priority. This option will work as intended, as the Active Directory traffic will be allowed and all other outbound traffic will be blocked.
Option C: Create an egress rule with priority 1000 to allow the Active Directory traffic. Rely on the implied deny egress rule with priority 100 to block all traffic for all instances.
This option creates an allow rule with a higher priority and relies on the implied deny egress rule with a lower priority. The issue with this option is that it will allow all traffic from instances, including the traffic that is not meant to be allowed.
Option D: Create an egress rule with priority 100 to allow the Active Directory traffic. Rely on the implied deny egress rule with priority 1000 to block all traffic for all instances.
This option creates an allow rule with a lower priority and relies on the implied deny egress rule with a higher priority. This option will work as intended, as the Active Directory traffic will be allowed, and all other outbound traffic will be blocked.
Therefore, the correct option is B: Create an egress rule with priority 100 to deny all traffic for all instances. Create another egress rule with priority 1000 to allow the Active Directory traffic for all instances.