Google Cloud Professional Cloud Network Engineer — Question 151
Your product team has web servers running on both us-east1 and us-west1 regions in the prod-servers project. Your security team plans to install an intrusion detection system (IDS) in their own Google Cloud project to inspect the incoming network traffic. What should you do?
Answer options
- A. Create a new project and a VPC for the security team. Peer the new VPC with the web servers’ VPC in the prod-servers project. Create an internal load balancer and the IDS system in both us-east1 and us-west1. Enable Packet Mirroring, and create packet mirroring policies inside the new project.
- C. Create a host project and a Sharad VPC for the security team. Make prod-servers a service project, and relocate the web servers to shared subnets in both regions. Enable IP forwarding on all the web servers. Create the IDS system in a non-shared subnet of us-east1 or us-west1. Configure the web servers to forward the packets to the IDS system. C. Create a new project and a VPC for the security team. Peer the new VPC with the web servers’ VPC in the prod-servers project. Enable IP forwarding on all the web servers. Install the IDS system in both us-east1 and us-west1. Configure the web servers to forward the packets to the IDS system.
- D. Create a host project and a Shared VPC for the security team. Make prod-servers a service project, and relocate the web servers to shared subnets in both regions. Create an internal load balancer and the IDS system in a subnet in either us-east1 or us-west1. Enable Packet Mirroring, and create a packet mirroring policy inside the host project.
Correct answer: A
Explanation
The correct answer is A because it allows the security team to have their own VPC while also enabling them to inspect traffic from the web servers in the prod-servers project through peering and Packet Mirroring. Options B, C, and D involve unnecessary complexity or configurations that do not effectively facilitate the IDS inspection across both regions.