Google Cloud Professional Cloud Network Engineer — Question 132

In your project my-project, you have two subnets in a Virtual Private Cloud (VPC): subnet-a with IP range 10.128.0.0/20 and subnet-b with IP range 172.16.0.0/24. You need to deploy database servers in subnet-a. You will also deploy the application servers and web servers in subnet-b. You want to configure firewall rules that only allow database traffic from the application servers to the database servers. What should you do?

Answer options

• A. Create network tag app-server and service account[email protected]. Add the tag to the application servers, and associate the service account with the database servers. Run the following command: gcloud compute firewall-rules create app-db-firewall-rule \ --action allow \ --direction ingress \ --rules top:3306 \ --source-tags app-server \ --target-service-accounts sa-db@my- project.iam.gserviceaccount.com
• B. Create service accounts[email protected]and[email protected]. Associate service account sa-app with the application servers, and associate the service account sa-db with the database servers. Run the following command: gcloud compute firewall-rules create app-db-firewall-ru --allow TCP:3306 \ --source-service-accounts sa-app@democloud-idp- demo.iam.gserviceaccount.com \ --target-service-accounts sa-db@my- project.iam.gserviceaccount.com
• C. Create service accounts[email protected]and[email protected]. Associate the service account sa-app with the application servers, and associate the service account sa-db with the database servers. Run the following command: gcloud compute firewall-rules create app-db-firewall-ru --allow TCP:3306 \ --source-ranges 10.128.0.0/20 \ --source-service-accounts sa-app@my- project.iam.gserviceaccount.com \ --target-service-accounts sa-db@my- project.iam.gserviceaccount.com
• D. Create network tags app-server and db-server. Add the app-server tag to the application servers, and add the db-server tag to the database servers. Run the following command: gcloud compute firewall-rules create app-db-firewall-rule \ --action allow \ --direction ingress \ --rules tcp:3306 \ --source-ranges 10.128.0.0/20 \ --source-tags app-server \ --target-tags db-server

Correct answer: B

Explanation

The correct answer is B because it specifies the use of service accounts to control access between application servers and database servers, which is necessary for secure communication. Option A incorrectly uses network tags instead of service accounts. Option C includes a source range that does not directly relate to the application servers. Option D also uses network tags instead of service accounts and incorrectly specifies source ranges.