Google Cloud Professional Cloud Network Engineer — Question 147
You are responsible for configuring firewall policies for your company in Google Cloud. Your security team has a strict set of requirements that must be met to configure firewall rules.
• Always allow Secure Shell (SSH) from your corporate IP address.
• Restrict SSH access from all other IP addresses.
There are multiple projects and VPCs in your Google Cloud organization. You need to ensure that other VPC firewall rules cannot bypass the security team’s requirements. What should you do?
Answer options
- A. 1. Configure a hierarchical firewall policy to the organization node to allow TCP port 22 for your corporate IP address with priority 0. 2. Configure a hierarchical firewall policy to the organization node to deny TCP port 22 for all IP addresses with priority 1.
- B. 1. Configure a VPC firewall rule to allow TCP port 22 for your corporate IP address with priority 0. 2. Configure a VPC firewall rule to deny TCP port 22 for all IP addresses with priority 1.
- C. 1. Configure a VPC firewall rule to allow TCP port 22 for your corporate IP address with priority 1. 2. Configure a VPC firewall rule to deny TCP port 22 for all IP addresses with priority 0.
- D. 1. Configure a hierarchical firewall policy to the organization node to allow TCP port 22 for your corporate IP address with priority 1 2. Configure a hierarchical firewall policy to the organization node to deny TCP port 22 for all IP addresses with priority 0.
Correct answer: A
Explanation
The correct answer is A because configuring a hierarchical firewall policy at the organization node allows you to enforce the rules across multiple projects and VPCs, ensuring that the corporate IP is allowed while others are denied. Options B and C use VPC firewall rules, which can be overridden by project-specific rules, making them insufficient for this requirement. Option D incorrectly assigns priority 1 to the allow rule, which would not be effective against the deny rule with priority 0.