Google Associate Cloud Engineer

Explanation

For Compute Engine VMs to communicate internally on a specific port (TCP 8080), you need to create firewall rules that allow this traffic. Here's why:

1. Firewall rules control network traffic: In Google Cloud, firewall rules are used to allow or deny traffic to and from VM instances. By default, VPC networks have an implied "deny all" ingress rule and an "allow all" egress rule.

2. IAM roles vs Firewall rules:

   • IAM roles (Option A): Control permissions for accessing Google Cloud resources, not network traffic.
   • Firewall rules (Option B): Specifically control network traffic between resources.

3. Cloud NAT (Option C): Used for outbound internet connectivity for private instances, not for internal VM-to-VM communication.

4. VPC Peering (Option D): Used to connect different VPC networks, not for controlling traffic within the same VPC.

Correct approach: Create a firewall rule that:

• Allows ingress traffic on TCP port 8080
• Applies to the appropriate target instances (all instances in the VPC or specific tags)
• Uses the appropriate source IP ranges (internal IP ranges for internal communication)

Example firewall rule creation:

gcloud compute firewall-rules create allow-tcp-8080 \
    --allow tcp:8080 \
    --direction INGRESS \
    --network default \
    --source-ranges 10.128.0.0/9

gcloud compute firewall-rules create allow-tcp-8080 \
    --allow tcp:8080 \
    --direction INGRESS \
    --network default \
    --source-ranges 10.128.0.0/9

This rule would allow internal communication on TCP port 8080 within the VPC network.