Answer-first summary for fast verification
Answer: Create a folder-level deny-all rule for outbound traffic within a hierarchical firewall policy. Define FQDN allowlist rules in separate policies and associate them with the necessary VPCs. Configure Cloud NAT for these VPCs.
Option B is the correct answer because it implements a hierarchical firewall policy with a folder-level deny-all rule for outbound traffic, ensuring no external traffic is allowed by default. It then creates specific FQDN allowlist rules in separate policies applied only to designated VPCs, providing granular control where allowlists override broader restrictions for specific VPCs only. Cloud NAT is configured for these VPCs to handle outbound traffic. This approach aligns with the requirement to block all external traffic except for approved FQDNs in specific VPCs while preventing exposure of internal applications. Option A uses a global allowlist, which lacks granularity and applies to all VPCs. Option C uses project-level rules, which are less efficient than folder-level for multiple projects. Option D relies solely on IP-based filtering in Cloud NAT, which is less secure than FQDN-based rules and doesn't provide hierarchical control.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
Your organization uses Cloud Run services in multiple projects under a non-production folder. These services primarily communicate internally, but some require external access to specific approved FQDNs while blocking all other external traffic. Internal applications must not be exposed externally. You need to implement granular control where allowlists for specific FQDNs override broader restrictions, but only within designated VPCs. What should you do?
A
Implement a global-level allowlist rule for the necessary FQDNs within a hierarchical firewall policy. Apply this policy across all VPCs in the organization and configure Cloud NAT without any additional filtering.
B
Create a folder-level deny-all rule for outbound traffic within a hierarchical firewall policy. Define FQDN allowlist rules in separate policies and associate them with the necessary VPCs. Configure Cloud NAT for these VPCs.
C
Create a project-level deny-all rule within a hierarchical structure and apply it broadly. Override this rule with separate FQDN allowlists defined in VPC-level firewall policies associated with the relevant VPCs.
D
Configure Cloud NAT with IP-based filtering to permit outbound traffic only to the allowlist d FQDNs' IP ranges. Apply Cloud NAT uniformly to all VPCs within the organization's folder structure.
No comments yet.