Google Cloud Professional Cloud Architect — Question 91

Your web application has several VM instances running within a VPC. You want to restrict communications between instances to only the paths and ports you authorize, but you don't want to rely on static IP addresses or subnets because the app can autoscale. How should you restrict communications?

Answer options

• A. Use separate VPCs to restrict traffic
• B. Use firewall rules based on network tags attached to the compute instances
• C. Use Cloud DNS and only allow connections from authorized hostnames
• D. Use service accounts and configure the web application to authorize particular service accounts to have access

Correct answer: B

Explanation

The correct answer is B because using firewall rules based on network tags allows for dynamic and flexible management of communication as instances scale. Options A and C are not suitable for dynamic environments like autoscaling, and option D, while useful for access control, does not directly address traffic restrictions between instances.