Google Cloud Professional Cloud Architect — Question 18

All Compute Engine instances in your VPC should be able to connect to an Active Directory server on specific ports. Any other traffic emerging from your instances is not allowed. You want to enforce this using VPC firewall rules.
How should you configure the firewall rules?

Answer options

• A. Create an egress rule with priority 1000 to deny all traffic for all instances. Create another egress rule with priority 100 to allow the Active Directory traffic for all instances.
• B. Create an egress rule with priority 100 to deny all traffic for all instances. Create another egress rule with priority 1000 to allow the Active Directory traffic for all instances.
• C. Create an egress rule with priority 1000 to allow the Active Directory traffic. Rely on the implied deny egress rule with priority 100 to block all traffic for all instances.
• D. Create an egress rule with priority 100 to allow the Active Directory traffic. Rely on the implied deny egress rule with priority 1000 to block all traffic for all instances.

Correct answer: A

Explanation

Option A is correct because it first denies all traffic with a higher priority (1000) and then allows the specific Active Directory traffic with a lower priority (100), ensuring that only the desired connections are permitted. The other options incorrectly configure the deny and allow rules, which would either block the necessary connections or fail to enforce the intended restrictions on outbound traffic.