Topic 1 Question 23
You have an application hosted on a Compute Engine virtual machine instance that cannot communicate with a resource outside of its subnet. When you review the flow and firewall logs, you do not see any denied traffic listed. During troubleshooting you find: "¢ Flow logs are enabled for the VPC subnet, and all firewall rules are set to log. "¢ The subnetwork logs are not excluded from Stackdriver. "¢ The instance that is hosting the application can communicate outside the subnet. "¢ Other instances within the subnet can communicate outside the subnet. "¢ The external resource initiates communication. What is the most likely cause of the missing log lines?
The traffic is matching the expected ingress rule.
The traffic is matching the expected egress rule.
The traffic is not matching the expected ingress rule.
The traffic is not matching the expected egress rule.
ユーザの投票
コメント(17)
C is the right answer. The traffic is not matching the expected ingress rule, thus it will fall to the IMPLICIT DENY INGRESS RULE which is never logged.
👍 17EJJ2021/04/22Since External resource initiates traffic, its incoming. And its blocked, so Incoming is not matching the existing firewall rules. Hence, C
👍 4ravirajani2020/09/08I'm going to suggest D. The resource with which the VM cannot communicate is external to the subnet. All firewall rules in the VPC subnet are set to log, HOWEVER logging cannot be enabled for the implied 'allow all egress' or the implied 'deny all ingress'. So perhaps the traffic is not matching the expected egress rule and is instead being allowed by the implied 'allow all egress' rule, hence not being logged. Traffic being allowed out of the subnet is a reasonable cause for a missing firewall log line.
👍 3Ocedoc2021/02/02
シャッフルモード