Answer-first summary for fast verification
Answer: Create a hierarchical firewall policy configured at the organization to allow connections only from internal IP ranges.
Option B is the correct answer because it uses a hierarchical firewall policy at the organization level to allow connections only from internal IP ranges, which effectively blocks external access (including 0.0.0.0/0) while permitting legitimate internal traffic. This approach is scalable for thousands of projects, enforces centralized guardrails, and aligns with the principle of least privilege. Option A is too restrictive as it denies all external traffic, which may disrupt legitimate services. Option C is unsuitable because Google Cloud Armor is designed for web application protection (L7) and not for general firewall rules like MySQL port restrictions. Option D is inefficient and cumbersome, requiring manual configuration for each VPC across thousands of projects, which defeats the purpose of centralized enforcement.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
You have a Google Cloud organization that distributes administrative capabilities by providing each team with a project and the Owner role (roles/owner). The organization contains thousands of projects. Security Command Center Premium is reporting multiple OPEN_MYSQL_PORT findings. You need to enforce guardrails to prevent these common misconfigurations.
What should you do?
A
Create a hierarchical firewall policy configured at the organization to deny all connections from 0.0.0.0/0.
B
Create a hierarchical firewall policy configured at the organization to allow connections only from internal IP ranges.
C
Create a Google Cloud Armor security policy to deny traffic from 0.0.0.0/0.
D
Create a firewall rule for each virtual private cloud (VPC) to deny traffic from 0.0.0.0/0 with priority 0.
No comments yet.