Answer-first summary for fast verification
Answer: Create service accounts sa-app@my-project.iam.gserviceaccount.com and sa-db@my-project.iam.gserviceaccount.com. Associate service account sa-app with the application servers, and associate the service account sa-db with the database servers. Run the following command: gcloud compute firewall-rules create app-db-firewall-ru --allow TCP:3306 \ --source-service-accounts sa-app@democloud-idp- demo.iam.gserviceaccount.com \ --target-service-accounts sa-db@my- project.iam.gserviceaccount.com
The correct approach involves using service accounts for both the source (application servers) and target (database servers) to ensure secure and precise traffic control. Option B is the most accurate as it correctly specifies the use of service accounts and the correct protocol (TCP:3306) for database traffic. Although there's a minor typo in the source service account's domain, the overall structure and methodology align with Google Cloud's best practices for firewall rule configuration. Other options either misuse protocol specifications, incorrect IP ranges, or mix incompatible filtering methods, which could lead to security vulnerabilities or unintended access.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
In your project my-project, you have a VPC with two subnets: subnet-a (IP range 10.128.0.0/20) for database servers and subnet-b (IP range 172.16.0.0/24) for application and web servers. How would you configure firewall rules to restrict database traffic so that only application servers in subnet-b can communicate with the database servers in subnet-a?
A
Create network tag app-server and service account sa-db@my-project.iam.gserviceaccount.com. Add the tag to the application servers, and associate the service account with the database servers. Run the following command: gcloud compute firewall-rules create app-db-firewall-rule \ --action allow \ --direction ingress \ --rules top:3306 \ --source-tags app-server \ --target-service-accounts sa-db@my- project.iam.gserviceaccount.com
B
Create service accounts sa-app@my-project.iam.gserviceaccount.com and sa-db@my-project.iam.gserviceaccount.com. Associate service account sa-app with the application servers, and associate the service account sa-db with the database servers. Run the following command: gcloud compute firewall-rules create app-db-firewall-ru --allow TCP:3306 \ --source-service-accounts sa-app@democloud-idp- demo.iam.gserviceaccount.com \ --target-service-accounts sa-db@my- project.iam.gserviceaccount.com
C
Create service accounts sa-app@my-project.iam.gserviceaccount.com and sa-db@my-project.iam.gserviceaccount.com. Associate the service account sa-app with the application servers, and associate the service account sa-db with the database servers. Run the following command: gcloud compute firewall-rules create app-db-firewall-ru --allow TCP:3306 \ --source-ranges 10.128.0.0/20 \ --source-service-accounts sa-app@my- project.iam.gserviceaccount.com \ --target-service-accounts sa-db@my- project.iam.gserviceaccount.com
D
Create network tags app-server and db-server. Add the app-server tag to the application servers, and add the db-server tag to the database servers. Run the following command: gcloud compute firewall-rules create app-db-firewall-rule \ --action allow \ --direction ingress \ --rules tcp:3306 \ --source-ranges 10.128.0.0/20 \ --source-tags app-server \ --target-tags db-server