Ensure Backend Database Access Control for Frontend Application | PCSE Exam Solution

A.

Sure, I'd be happy to provide a detailed explanation of the options for designing a network to ensure that a backend database can only be accessed by the frontend application and no other instances on the network.

Option A: Create an ingress firewall rule to allow access only from the application to the database using firewall tags.

This option involves creating a firewall rule that allows incoming traffic to the database only from instances with a specific firewall tag, which is applied to the frontend application instances. This approach can help restrict access to the database, but it does not provide complete network isolation. If an attacker gains access to another instance on the network that has the same firewall tag as the frontend application, they could potentially access the database.

Option B: Create a different subnet for the frontend application and database to ensure network isolation.

This option involves creating separate subnets for the frontend application and database. By isolating them in separate subnets, traffic between them can be restricted using firewall rules. This approach provides better network isolation than option A, as it prevents other instances on the network from accessing the database. However, it may be more complex to manage and may require additional resources.

Option C: Create two VPC networks, and connect the two networks using Cloud VPN gateways to ensure network isolation.

This option involves creating two separate VPC networks, one for the frontend application and one for the database. The two networks are then connected using Cloud VPN gateways, which provide an encrypted connection between them. This approach provides strong network isolation and can help protect against attacks from other instances on the network. However, it may be more complex to set up and manage than option B, and may incur additional costs for the VPN gateway.

Option D: Create two VPC networks, and connect the two networks using VPC peering to ensure network isolation.

This option involves creating two separate VPC networks, one for the frontend application and one for the database. The two networks are then connected using VPC peering, which provides a private connection between them. This approach provides strong network isolation and can help protect against attacks from other instances on the network. However, it may be more complex to set up and manage than option B, and may incur additional costs for the peering connection.

Overall, option B may be the simplest and most cost-effective solution for ensuring network isolation between the frontend application and database, while options C and D may provide stronger network isolation at the cost of increased complexity and additional resources. Option A, while it may provide some level of protection, is not as robust as the other options and may be easier for attackers to bypass.