Google Professional Cloud Security Engineer

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Configure an ingress firewall rule that allows communication from the frontend's unique service account to the unique service account of the mysql Compute Engine VM on port 3306.

Option B is the correct answer because it uses service account-based firewall rules, which is the recommended Google Cloud best practice for fine-grained access control. Service accounts provide identity-based security that moves with instances, making them more secure and manageable than IP-based or tag-based rules. The community discussion strongly supports B with 100% consensus and multiple comments citing Google's documentation recommending service accounts for production instances. Option A is less suitable because it allows all instances in subnet A (not just the frontend) to access the MySQL instance. Options C and D use network tags, which are less secure than service accounts as tags can be changed more easily and don't provide the same identity-based security.

Author: LeetQuiz Editorial Team

Quick Answer

Answer-first summary for fast verification

Answer: Configure an ingress firewall rule that allows communication from the frontend's unique service account to the unique service account of the mysql Compute Engine VM on port 3306.

Author: LeetQuiz Editorial Team

Comments (0)

No comments yet.

You have an application with a frontend deployed on a managed instance group in subnet A and a backend MySQL database running on a Compute Engine VM in subnet B within the same VPC. Both subnets contain other Compute Engine VMs. You need to ensure that only the application frontend can access the MySQL instance on port 3306. What should you do?

Exam-Like

Configure an ingress firewall rule that allows communication from the src IP range of subnet A to the tag "data-tag" that is applied to the mysql Compute Engine VM on port 3306.

Configure an ingress firewall rule that allows communication from the frontend's unique service account to the unique service account of the mysql Compute Engine VM on port 3306.

Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet B. Then configure an egress firewall rule that allows communication from Compute Engine VMs tagged with data-tag to destination Compute Engine VMs tagged fe- tag.

Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet B. Then configure an ingress firewall rule that allows communication from Compute Engine VMs tagged with fe-tag to destination Compute Engine VMs tagged with data-tag.