Answer-first summary for fast verification
Answer: Run each tier with a different Service Account (SA), and use SA-based firewall rules.
The question emphasizes 'authenticated network separation,' which requires both network isolation and authentication mechanisms. Option B (Service Account-based firewall rules) is optimal because service accounts are access-controlled, cannot be changed while VMs are running, and provide authenticated boundaries between tiers, aligning with Google's best practices for VM isolation. Option C (subnet-based firewall rules) offers network separation but lacks built-in authentication, making it less suitable. Option D (tag-based firewall rules) is flexible but tags are not access-controlled and can be modified dynamically, reducing security. Option A (Project labels) is for organizational purposes and does not enforce network or authentication controls. The community discussion, including the highest upvoted comment (32 upvotes) and references to Google documentation, strongly supports B as the correct answer.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A customer is deploying numerous 3-tier web applications on Compute Engine. How can they guarantee authenticated network segmentation between the distinct application tiers?
A
Run each tier in its own Project, and segregate using Project labels.
B
Run each tier with a different Service Account (SA), and use SA-based firewall rules.
C
Run each tier in its own subnet, and use subnet-based firewall rules.
D
Run each tier with its own VM tags, and use tag-based firewall rules.