Topic 1 Question 67
2 つ選択In your company, two departments with separate GCP projects (code-dev and data-dev) in the same organization need to allow full cross-communication between all of their virtual machines in GCP. Each department has one VPC in its project and wants full control over their network. Neither department intends to recreate its existing computing resources. You want to implement a solution that minimizes cost. Which two steps should you take?
Connect both projects using Cloud VPN.
Connect the VPCs in project code-dev and data-dev using VPC Network Peering.
Enable Shared VPC in one project (e. g., code-dev), and make the second project (e. g., data-dev) a service project.
Enable firewall rules to allow all ingress traffic from all subnets of project code-dev to all instances in project data-dev, and vice versa.
Create a route in the code-dev project to the destination prefixes in project data-dev and use nexthop as the default gateway, and vice versa.
ユーザの投票
コメント(14)
Answer is B & D. B: Minimizes cost and quickly. D: You need to create firewall rules to allow traffic between subnets over each VPC.
👍 24mikelabs2020/11/13B and D 100% -First of all, we only have 2 separate VPCs in 2 different projects each where each project resides in the same organization. This set-up already yells that we need NW peering! -In addition, to be able to use a Shared VPC we need to delete existing service project resources and recreate them in the shared VPC subnet, which is something the question statement does not want, so Shared VPC is automatically eliminated -Lastly, with nw peering, the subnet routes of both VPCs are automatically shared, but we still need to create firewall rules to allow incoming requests for both ends. Hence B and D
👍 14seddy2021/05/16it B and D https://cloud.google.com/vpc/docs/vpc-peering#firewall When you connect networks using VPC Network Peering, firewall rules are not exchanged between them. To allow ingress traffic from VM instances in a peer network, you must create ingress allow firewall rules. By default, ingress traffic to VMs is blocked by the implied deny ingress rule.
If you need to restrict access to VMs such that only other VMs in your VPC network have access, ensure that the sources for your ingress allow firewall rules only identify VMs in your VPC network, not ones from peer networks. For example, you can specify source IP ranges for just the subnets in your VPC network.
To restrict access to an internal TCP/UDP load balancer, create ingress firewall rules that apply to the load balancer's backend VMs.
👍 6VivekMishraV2021/05/07
シャッフルモード