Google Cloud Professional Cloud Network Engineer — Question 3

In order to provide subnet level isolation, you want to force instance-A in one subnet to route through a security appliance, called instance-B, in another subnet.
What should you do?

Answer options

• A. Create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with no tag.
• B. Create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with a tag applied to instance-A.
• C. Delete the system-generated subnet route and create a specific route to instance-B with a tag applied to instance-A.
• D. Move instance-B to another VPC and, using multi-NIC, connect instance-B's interface to instance-A's network. Configure the appropriate routes to force traffic through to instance-A.

Correct answer: B

Explanation

The correct answer is B because creating a more specific route that points to instance-B with a tag applied to instance-A allows for the necessary routing of traffic through the security appliance while maintaining control over traffic flow. Option A does not apply a tag, which is essential for proper routing. Option C suggests deleting the system-generated route, which could disrupt other traffic. Option D involves unnecessary complexity by moving instance-B to another VPC and using multi-NIC, which is not required for this scenario.