Google Cloud Professional Cloud Security Engineer — Question 271

A customer has an analytics workload running on Compute Engine that should have limited internet access.
Your team created an egress firewall rule to deny (priority 1000) all traffic to the internet.
The Compute Engine instances now need to reach out to the public repository to get security updates.
What should your team do?

Answer options

• A. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority greater than 1000.
• B. Create an egress firewall rule to allow traffic to the CIDR range of the repository with a priority less than 1000.
• C. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority greater than 1000.
• D. Create an egress firewall rule to allow traffic to the hostname of the repository with a priority less than 1000.

Correct answer: B

Explanation

The correct answer is B because setting a lower priority than 1000 (which is the current deny rule) allows this new rule to take precedence, permitting access to the repository. Options A and C do not work because they would not have higher priority than the existing deny rule, while option D incorrectly suggests using the hostname instead of the CIDR range, which could lead to complications in routing.