Google Cloud Professional Cloud Network Engineer — Question 113

In your Google Cloud organization, you have two folders: Dev and Prod. You want a scalable and consistent way to enforce the following firewall rules for all virtual machines (VMs) with minimal cost:

• Port 8080 should always be open for VMs in the projects in the Dev folder.
• Any traffic to port 8080 should be denied for all VMs in your projects in the Prod folder.

What should you do?

Answer options

• A. Create and associate a firewall policy with the Dev folder with a rule to open port 8080. Create and associate a firewall policy with the Prod folder with a rule to deny traffic to port 8080.
• B. Create a Shared VPC for the Dev projects and a Shared VPC for the Prod projects. Create a VPC firewall rule to open port 8080 in the Shared VPC for Dev. Create a firewall rule to deny traffic to port 8080 in the Shared VPC for Prod. Deploy VMs to those Shared VPCs.
• C. In all VPCs for the Dev projects, create a VPC firewall rule to open port 8080. In all VPCs for the Prod projects, create a VPC firewall rule to deny traffic to port 8080.
• D. Use Anthos Config Connector to enforce a security policy to open port 8080 on the Dev VMs and deny traffic to port 8080 on the Prod VMs.

Correct answer: A

Explanation

The correct answer is A because creating and associating firewall policies with each folder allows for centralized management of the firewall rules, ensuring that the rules are consistently applied to all VMs in the respective folders. Options B and C involve creating VPCs and rules individually, which may not be as scalable or cost-effective. Option D, while it offers a way to enforce policies, is more complex and not necessary for the requirements laid out.