Google Cloud Associate Cloud Engineer — Question 297

You are deploying a large, multi-tiered application with more than 1,000 IP addresses in a Google Cloud project that needs to be securely isolated. The application includes the:

1. web tier with frontend servers for public traffic,
2. application tier with servers running core application logic that only need access from the web tier, and
3. database tier with database servers that only need access from the application tier.

You want to minimize cost, complexity, and administrative overhead in the network architecture. What should you do?

Answer options

• A. Create a /24 Shared VPC with separate subnets for each tier. Use firewall rules that reference network tags to control traffic.
• B. Create one custom mode /16 VPC with three subnets. Place each tier in its own subnet and use firewall rules that reference IP subnets to control traffic.
• C. Deploy each tier into a separate custom mode /16 VPUse VPC Network Peering to securely connect each custom mode VPManage firewall rules individually in each VPC.
• D. Deploy each tier in a /24 VPC by using network tags to identify instances. Implement firewall rules for fine-grained network segmentation.

Correct answer: B

Explanation

Option B is the most efficient choice as it consolidates all tiers within a single custom mode /16 VPC, allowing for simplified management while still maintaining necessary isolation through subnets and firewall rules. Options A and D introduce unnecessary complexities and costs by using Shared VPC and smaller /24 VPCs, while option C adds complexity by requiring VPC Network Peering and separate management of firewall rules.