Google Cloud Professional Cloud Security Engineer — Question 75

Your organization acquired a new workload. The Web and Application (App) servers will be running on Compute Engine in a newly created custom VPC. You are responsible for configuring a secure network communication solution that meets the following requirements:
✑ Only allows communication between the Web and App tiers.
✑ Enforces consistent network security when autoscaling the Web and App tiers.
✑ Prevents Compute Engine Instance Admins from altering network traffic.
What should you do?

Answer options

• A. 1. Configure all running Web and App servers with respective network tags. 2. Create an allow VPC firewall rule that specifies the target/source with respective network tags.
• B. 1. Configure all running Web and App servers with respective service accounts. 2. Create an allow VPC firewall rule that specifies the target/source with respective service accounts.
• C. 1. Re-deploy the Web and App servers with instance templates configured with respective network tags. 2. Create an allow VPC firewall rule that specifies the target/source with respective network tags.
• D. 1. Re-deploy the Web and App servers with instance templates configured with respective service accounts. 2. Create an allow VPC firewall rule that specifies the target/source with respective service accounts.

Correct answer: D

Explanation

The correct answer is D because using instance templates with service accounts ensures that the Web and App servers can securely communicate while preventing Instance Admins from altering network traffic. Options A and C focus on network tags, which do not provide the same level of security against modification by Compute Engine Instance Admins. Option B, while using service accounts, does not involve instance templates, which are necessary for autoscaling configurations.