Topic 4 Question 7
For this question, refer to the EHR Healthcare case study. You are responsible for designing the Google Cloud network architecture for Google Kubernetes Engine. You want to follow Google best practices. Considering the EHR Healthcare business and technical requirements, what should you do to reduce the attack surface?
Use a private cluster with a private endpoint with master authorized networks configured.
Use a public cluster with firewall rules and Virtual Private Cloud (VPC) routes.
Use a private cluster with a public endpoint with master authorized networks configured.
Use a public cluster with master authorized networks enabled and firewall rules.
ユーザの投票
コメント(17)
It should be A. Public endpoint access disabled is the most secure option as it prevents all internet access to the control plane. This is a good choice if you have configured your on-premises network to connect to Google Cloud using Cloud Interconnect (EHR has enabled this) or Cloud VPN. If you disable public endpoint access, then you must configure authorized networks for the private endpoint. If you don't do this, you can only connect to the private endpoint from cluster nodes or VMs in the same subnet as the cluster. Public endpoint access enabled, authorized networks enabled: This is a good choice if you need to administer the cluster from source networks that are not connected to your cluster's VPC network using Cloud Interconnect or Cloud VPN (but EHR is already using interconnect) So answer C is wrong. Reference- https://cloud.google.com/kubernetes-engine/docs/concepts/private-cluster-concept
👍 52jask2021/09/06A. Use a private cluster with a private endpoint with master authorized networks configured. --> Private clusters run nodes without external IP addresses, and optionally run their cluster control plane without a publicly-reachable endpoint. Additionally, private clusters do not allow Google Cloud IP addresses to access the control plane endpoint by default. Using private clusters with authorized networks makes your control plane reachable only by the allowed CIDRs, by nodes within your cluster's VPC, and by Google's internal production jobs that manage your control plane.
👍 7victory1082021/08/28- 正解だと思う選択肢: C
C is correct. A is wrong because, despite what everyone is thinking, because you cannot have a private endpoint for the control plane WITH authorised networks. It's a contradiction of ideas. The authorised networks are specifically to manage access to a public endpoint to only a set RFC1918 addresses, for example. Which, ironically, is covered by the link that everyone is pasting referring to answer A https://cloud.google.com/kubernetes-engine/docs/concepts/private-cluster-concept
👍 4rr44442023/03/14
シャッフルモード