Topic 1 Question 151
You are working with a user to set up an application in a new VPC behind a firewall. The user is concerned about data egress. You want to configure the fewest open egress ports. What should you do?
Set up a low-priority (65534) rule that blocks all egress and a high-priority rule (1000) that allows only the appropriate ports.
Set up a high-priority (1000) rule that pairs both ingress and egress ports.
Set up a high-priority (1000) rule that blocks all egress and a low-priority (65534) rule that allows only the appropriate ports.
Set up a high-priority (1000) rule to allow the appropriate ports.
ユーザの投票
コメント(17)
Correct Answer is (A):
Implied rules Every VPC network has two implied firewall rules. These rules exist, but are not shown in the Cloud Console:
Implied allow egress rule. An egress rule whose action is allow, destination is 0.0.0.0/0, and priority is the lowest possible (65535) lets any instance send traffic to any destination, except for traffic blocked by Google Cloud. A higher priority firewall rule may restrict outbound access. Internet access is allowed if no other firewall rules deny outbound traffic and if the instance has an external IP address or uses a Cloud NAT instance. For more information, see Internet access requirements.
Implied deny ingress rule. An ingress rule whose action is deny, source is 0.0.0.0/0, and priority is the lowest possible (65535) protects all instances by blocking incoming connections to them. A higher priority rule might allow incoming access. The default network includes some additional rules that override this one, allowing certain types of incoming connections.
https://cloud.google.com/vpc/docs/firewalls#default_firewall_rules
👍 37ESP_SAP2020/08/22A: is the answer
👍 11MohammedGhouse2020/08/12- 正解だと思う選択肢: A
Answer is (A) : First I was going with C but then I read the question again, let's try to understand both options here, the goal is to deny egress and only allow some ports for some functions to perform. If we go with C, lower the number higher the priority (1000) so the rule with this priority 1000 will overwrite (65534), so If we allow only appropriate ports it will be overwritten with the high-priority (1000) rule and all the egress traffic will be blocked. Remember the goal here is to block egress but not all of it since we still want to configure the fewest open ports and this is statefull meaning for open ports traffic will be both ways. A fits this condition where it is saying we block all traffic but the required ports are kept open with higher priority which will only allow the required traffic to leave the network.
👍 9bobthebuilder551102022/08/04
シャッフルモード