Google Cloud Security Engineer Certification Exam - Compute Engine Egress Firewall Configuration

Compute Engine Egress Firewall Configuration

Prev Question Next Question

Question

A customer has an analytics workload running on Compute Engine that should have limited internet access.

Your team created an egress firewall rule to deny (priority 1000) all traffic to the internet.

The Compute Engine instances now need to reach out to the public repository to get security updates.

What should your team do?

Answers

A. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority greater than 1000.

B. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority less than 1000.

C. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority greater than 1000.

D. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority less than 1000.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

The situation described in the question involves a customer's analytics workload running on Compute Engine, which requires limited internet access. To achieve this, an egress firewall rule has been created to deny all traffic to the internet. However, the Compute Engine instances need to access the public repository to receive security updates.

To enable the Compute Engine instances to access the public repository for security updates, the egress firewall rule needs to be updated. The rule should allow traffic to the CIDR range or the hostname of the repository. Additionally, the priority of the new rule should be set to a value lower than 1000 to ensure that it is processed before the existing deny rule.

Option A suggests creating a new egress firewall rule to allow traffic to the CIDR range of the repository with a priority greater than 1000. This option is incorrect because the priority should be lower than the existing deny rule to ensure that it is processed first.

Option B suggests creating a new egress firewall rule to allow traffic to the CIDR range of the repository with a priority less than 1000. This option is correct because it ensures that the new rule is processed before the existing deny rule.

Option C suggests creating a new egress firewall rule to allow traffic to the hostname of the repository with a priority greater than 1000. This option is incorrect because the priority should be lower than the existing deny rule to ensure that it is processed first.

Option D suggests creating a new egress firewall rule to allow traffic to the hostname of the repository with a priority less than 1000. This option is correct because it ensures that the new rule is processed before the existing deny rule.

In summary, the correct answer is option B or D, depending on whether the customer is using the CIDR range or the hostname of the repository. The new egress firewall rule should allow traffic to the CIDR range or the hostname of the repository with a priority less than 1000 to ensure that it is processed before the existing deny rule.

Prev Question Next Question