Answer-first summary for fast verification
Answer: Create two hierarchical firewall policies per department's folder with two rules in each: a high-priority rule that matches traffic from the private CIDRs assigned to the respective VPC and sets the action to goto_next, and another lower-priority rule that blocks traffic from any other source.
The requirement is to block all traffic between VPCs while allowing departments to manage intra-VPC rules. Hierarchical firewall policies (HFPs) applied at the folder level can enforce this. Option D uses a high-priority rule with `goto_next` for traffic from the VPC's CIDR, delegating evaluation to VPC firewall rules (managed by departments). A lower-priority rule blocks all other traffic. The `goto_next` action ensures that intra-VPC traffic is evaluated against the department's VPC rules, while inter-VPC traffic is blocked by the hierarchical policy. This aligns with delegating intra-VPC control while enforcing broader restrictions at the organizational level.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
Your company's resource hierarchy includes a parent folder with department-specific subfolders. Each department creates its own project and VPC within its assigned folder and has permissions to manage Google Cloud firewall rules. You must prevent all inter-VPC traffic while delegating intra-VPC firewall rule management to each department. What is the correct approach to achieve this?
A
Create a VPC firewall rule in each VPC to block traffic from any source, with priority 0.
B
Create a VPC firewall rule in each VPC to block traffic from any source, with priority 1000.
C
Create two hierarchical firewall policies per department's folder with two rules in each: a high-priority rule that matches traffic from the private CIDRs assigned to the respective VPC and sets the action to allow, and another lower-priority rule that blocks traffic from any other source.
D
Create two hierarchical firewall policies per department's folder with two rules in each: a high-priority rule that matches traffic from the private CIDRs assigned to the respective VPC and sets the action to goto_next, and another lower-priority rule that blocks traffic from any other source.
No comments yet.