Explanation:
The question requires identifying the most likely reasons why tag-based VPC firewall rules (priority 1000) are not segmenting traffic as intended, allowing all VM instances to communicate freely. Option A is correct because if VM instances are missing the network tags specified in the firewall rules, the rules cannot apply to those instances, rendering them ineffective. Option D is correct because a VPC firewall rule with priority 999 (lower numerical value = higher priority) that allows traffic based on the same service account would override the tag-based rules (priority 1000), as firewall rules are evaluated in order of priority. Option E is incorrect because priority 1001 is lower than 1000, so it would not override the tag-based rules. Option B is unlikely, as being in the same subnet does not inherently bypass firewall rules. Option C is also unlikely, as network routes determine traffic paths but do not override firewall rules. The community discussion supports A and D, with high upvotes for comments explaining that missing tags make rules ineffective and priority 999 rules take precedence.
Ultimate access to all questions.
You are auditing network segmentation in your Google Cloud environment, which has separate Production and Non-Production IaaS environments. All VM instances use the default service account configuration. You observe that all instances in your custom VPC network can communicate freely, even though tag-based firewall rules with a priority of 1000 are in place to enforce segmentation. What are the most likely reasons for this behavior?
A
All VM instances are missing the respective network tags.
B
All VM instances are residing in the same network subnet.
C
All VM instances are configured with the same network route.
D
A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 999. E . A VPC firewall rule is allowing traffic between source/targets based on the same service account with priority 1001.
No comments yet.