Google Cloud Professional Cloud Network Engineer — Question 53

You have created a firewall with rules that only allow traffic over HTTP, HTTPS, and SSH ports. While testing, you specifically try to reach the server over multiple ports and protocols; however, you do not see any denied connections in the firewall logs. You want to resolve the issue.
What should you do?

Answer options

• A. Enable logging on the default Deny Any Firewall Rule.
• B. Enable logging on the VM Instances that receive traffic.
• C. Create a logging sink forwarding all firewall logs with no filters.
• D. Create an explicit Deny Any rule and enable logging on the new rule.

Correct answer: D

Explanation

The correct answer is D because creating an explicit Deny Any rule with logging will ensure that all denied connections are captured in the logs, allowing you to see any unauthorized attempts. Option A does not help as it pertains to the default rule, which may not log denied connections. Option B only logs traffic to the VM Instances but does not address the logging of denied connections. Option C forwards logs without addressing the underlying issue, which is not capturing denied connections.