Google Cloud Professional Cloud Architect — Question 199
To improve governance and security, your organization has structured the Google Cloud environment using folders for different business units. Each business unit folder has subfolders for development, staging, and production environments, which must comply with internal security controls:
• Production workloads must be protected from direct internet ingress by default unless explicitly tagged.
• The application must be accessible to customers over HTTPS.
You need to design a scalable and enforceable model that blocks internet ingress traffic to the production folders while selectively allowing direct HTTPS traffic to the necessary virtual machines. You must also ensure that individual project teams cannot overwrite these controls once they are implemented for all current and future production projects. What should you do?
Answer options
- A. At each production folder, apply a hierarchical firewall policy to deny all ingress except for HTTPS to tagged VMs.
- B. Mandate the application teams to deploy a Terraform module to create VPC firewall rules in each project that deny ingress and allow HTTPS.
- C. At the organization root, apply a hierarchical firewall policy to deny all ingress except for HTTPS to tagged VMs.
- D. At each production folder, use an organization policy to block all external IPs and require teams to use external HTTPS load balancers.
Correct answer: A
Explanation
The correct answer is A because applying a hierarchical firewall policy at each production folder allows for centralized control over ingress traffic while ensuring that only tagged VMs can receive HTTPS traffic. Option B is incorrect as it places the responsibility on individual teams, which contradicts the requirement to prevent them from overwriting controls. Option C is not ideal since it applies controls at the organization root, which could inadvertently affect other areas. Option D does not effectively ensure HTTPS access to specific VMs since it focuses on blocking external IPs.