
Explanation:
Using service accounts or network tags in firewall rules allows fine-grained control based on identity or metadata, following micro-segmentation best practices. 0.0.0.0/0 is too open, separate VPCs add complexity, org policies for constraints.
Ultimate access to all questions.
A three-tier app needs its database tier reachable only from the app tier VMs. Firewall best practice?
A
Allow 0.0.0.0/0 on the DB port
B
Ingress allow rule on the DB port with source = the app tier's service account (or network tag), target = DB tier's service account/tag
C
Separate VPCs for each tier
D
An org policy
No comments yet.