Explanation:
Option A is correct because it utilizes service accounts to precisely control access between the application and database servers. By associating the sa-app service account with the application servers and the sa-db service account with the database servers, you can ensure that only traffic from the application servers (source service account sa-app) is permitted to reach the database servers (target service account sa-db). An ingress firewall rule is then created to specifically allow this traffic. Options B, C, and D are incorrect as they either use network tags inappropriately for access control or fail to restrict traffic adequately between the specified servers. For more information, refer to Google Cloud's documentation on service accounts and firewall rules.
Ultimate access to all questions.
You have developed a 2-tier application on Google Cloud, consisting of an application tier and a database tier. The application tier operates in subnet-a, while the database tier is in subnet-b, both within the default VPC. What is the best method to configure a firewall rule that ensures only the application servers can communicate with the database servers?
A
B
C
D
No comments yet.