Explanation:
Option A is the correct answer because Firewall Rules Logging is specifically designed for auditing and troubleshooting firewall rule behavior in Google Cloud. It generates connection records for each allow/deny decision, allowing direct analysis of whether the recent rule changes are blocking legitimate traffic. This approach is non-disruptive, targeted, and provides immediate visibility into rule effectiveness. Option B (bastion host with traffic analyzer) is overly complex and doesn't directly test firewall rule behavior. Option C (disabling rules in pre-production) is risky and doesn't replicate the production environment accurately. Option D (VPC Flow Logs) shows network flow data but doesn't specifically indicate which firewall rules are allowing or denying traffic, making it less precise for firewall rule troubleshooting.
Ultimate access to all questions.
You need to test if your Compute Engine firewall rules are blocking traffic to a public-facing application. What is the correct troubleshooting step to take?
A
Enable Firewall Rules Logging on the latest rules that were changed. Use Logs Explorer to analyze whether the rules are working correctly.
B
Connect to a bastion host in your VPC. Use a network traffic analyzer to determine at which point your requests are being blocked.
C
In a pre-production environment, disable all firewall rules individually to determine which one is blocking user traffic.
D
Enable VPC Flow Logs in your VPC. Use Logs Explorer to analyze whether the rules are working correctly.
No comments yet.