Google Cloud Professional Cloud Security Engineer — Question 259

A customer wants to deploy a large number of 3-tier web applications on Compute Engine.
How should the customer ensure authenticated network separation between the different tiers of the application?

Answer options

• A. Run each tier in its own Project, and segregate using Project labels.
• B. Run each tier with a different Service Account (SA), and use SA-based firewall rules.
• C. Run each tier in its own subnet, and use subnet-based firewall rules.
• D. Run each tier with its own VM tags, and use tag-based firewall rules.

Correct answer: B

Explanation

Using different Service Accounts (SAs) for each tier allows for more precise control over access permissions and network policies. This method enables the implementation of SA-based firewall rules, effectively ensuring authenticated network separation. The other options, while they provide some level of separation, do not offer the same level of authentication and security as using SAs.