Designing Networking Infrastructure for Secure Access in Google Cloud

Networking Infrastructure Design for Secure Access

Question

Your company is moving its entire workload to Compute Engine.

Some servers should be accessible through the Internet, and other servers should only be accessible over the internal network.

All servers need to be able to talk to each other over specific ports and protocols.

The current on-premises network relies on a demilitarized zone (DMZ) for the public servers and a Local Area Network (LAN) for the private servers.

You need to design the networking infrastructure on Google Cloud to match these requirements.

What should you do?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

A.

The correct answer is A.

To meet the given requirements, the networking infrastructure on Google Cloud needs to be designed to allow certain servers to be accessible through the Internet while others should only be accessible over the internal network. Additionally, all servers need to be able to talk to each other over specific ports and protocols. The current on-premises network relies on a DMZ for the public servers and a LAN for the private servers.

To replicate this architecture in Google Cloud, we need to create a single Virtual Private Cloud (VPC) with two subnets: one for the DMZ and one for the LAN. The DMZ subnet will contain the servers that need to be accessible through the Internet, while the LAN subnet will contain the servers that should only be accessible over the internal network.

Next, we need to set up firewall rules to open up relevant traffic between the DMZ and LAN subnets, and another firewall rule to allow public ingress traffic for the DMZ. This will ensure that the servers in the DMZ can receive incoming traffic from the Internet, while the servers in the LAN can communicate with each other and the servers in the DMZ.

In summary, the correct option is A:

  1. Create a single VPC with a subnet for the DMZ and a subnet for the LAN.

  2. Set up firewall rules to open up relevant traffic between the DMZ and the LAN subnets, and another firewall rule to allow public ingress traffic for the DMZ.