Google Cloud Professional Cloud Network Engineer — Question 208

Your organization requires that all SMTP traffic to your cloud environment is blocked, except for traffic that originates from your corporate network. Your organization also requires that only specific VPCs across your Google Cloud projects will allow SMTP access from your corporate network. You need to configure a security policy that will enable this connectivity. What should you do?

Answer options

• A. 1. Configure an ingress hierarchical firewall rule with priority 10000 specifying the 0.0.0.0/0 source, TCP port 25, and the deny action. 2. Configure an egress hierarchical firewall rule with priority 10010 specifying the source of your corporate network as TCP port 25 and the goto_next action. 3. Associate the hierarchical firewall policy at the organization level. 4. Configure firewall policy rules allowing TCP port 25 in the firewall policies associated with the respective VPCs that require that access.
• B. 1. Configure an ingress hierarchical firewall rule with priority 10000 specifying the 0.0.0.0/0 source, TCP port 25, and the allow action. 2. Associate the hierarchical firewall policy at the organization level. 3. Configure firewall policy rules to deny TCP port 25 in the firewall policies associated with the respective VPCs that do not require that access.
• C. 1. Configure an ingress hierarchical firewall rule with priority 10000 specifying the source of your corporate network, TCP port 25, and the goto_next action. 2. Configure an ingress hierarchical firewall rule with priority 10010 specifying the 0.0.0.0/0 source, TCP port 25, and the deny action. 3. Associate the hierarchical firewall policy at the organization level. 4. Configure firewall policy rules allowing TCP port 25 in the firewall policies associated with the respective VPCs that require that access.
• D. 1. Configure an ingress hierarchical firewall rule with priority 10000 specifying the 0.0.0.0/0 source, TCP port 25, and the deny action. 2. Associate the hierarchical firewall policy at the organization level. 3. Configure firewall policy rules allowing TCP port 25 in the firewall policies associated with the respective VPCs that require that access.

Correct answer: C

Explanation

Option C is correct because it correctly allows SMTP traffic from the corporate network while denying it from all other sources, and it ensures the proper association of the firewall policy at the organization level. Option A incorrectly allows egress traffic from the corporate network without proper restriction. Option B mistakenly allows all SMTP traffic from 0.0.0.0/0, which does not meet the requirement. Option D also denies all traffic but fails to appropriately allow traffic originating from the corporate network.