Google Cloud Professional Cloud Security Engineer — Question 229

Your team needs to make sure that their backend database can only be accessed by the frontend application and no other instances on the network.
How should your team design this network?

Answer options

• A. Create an ingress firewall rule to allow access only from the application to the database using firewall tags.
• B. Create a different subnet for the frontend application and database to ensure network isolation.
• C. Create two VPC networks, and connect the two networks using Cloud VPN gateways to ensure network isolation.
• D. Create two VPC networks, and connect the two networks using VPC peering to ensure network isolation.

Correct answer: A

Explanation

Option A is correct because creating an ingress firewall rule allows you to control access specifically from the frontend application to the database, ensuring that no other instances can access it. Option B, while it promotes isolation, does not enforce access restrictions. Options C and D provide network isolation through different means but do not specifically address the need for controlled access from only the frontend application.