Question 16 - Google Associate Cloud Engineer Real Exam Questions [March 2026 Update]

Q: 16

You deployed an LDAP server on Compute Engine that is reachable via TLS through port 636 using UDP. You want to make sure it is reachable by clients over that port. What should you do?

Options

Correct Answer:

Explanation

To make a service on a Compute Engine instance accessible from outside the VPC network, you must create an ingress firewall rule. The standard and most effective method is to apply a network tag to the VM instance. This tag acts as an identifier. You then create a VPC firewall rule that allows ingress traffic, specifies the protocol (UDP) and port (636), and targets all instances with that specific network tag. This approach correctly configures the network security to permit the required client connections to the LDAP server.

Why Incorrect

A. Adding a network tag by itself does not create any network permissions. A tag is merely a label that must be referenced by a firewall rule to have any effect.

B. Routes are used to define paths for traffic to reach destinations, not to permit or deny connections. Firewall rules control access based on protocol and port.

D. An egress rule controls outbound traffic from the VM instance. To allow clients to connect to the server, an ingress (inbound) rule is required.

References

1. Google Cloud Documentation - VPC firewall rules overview: Under the "Components of a firewall rule" section

it states that a rule's target can be specified using "Target tags

" which applies the rule to instances with a matching network tag. The "Direction of traffic" component must be set to ingress for incoming connections.

Source: Google Cloud

"VPC firewall rules overview"

cloud.google.com/vpc/docs/firewalls#components.

2. Google Cloud Documentation - Using VPC firewall rules: This page provides examples of creating firewall rules. The common pattern shown is to define a rule with a direction (INGRESS)

a target (using targetTags)

a source filter

and a protocol/port specification. This directly aligns with the procedure described in the correct answer.

Source: Google Cloud

"Using VPC firewall rules"

cloud.google.com/vpc/docs/using-firewalls#creatingfirewallrules.

3. Google Cloud Documentation - Network tags overview: "Tags are useful for applying firewall rules... You make a firewall rule applicable to specific instances by using target tags." This reference clarifies that the primary purpose of tags in this context is to be used as targets for firewall rules

invalidating the option that suggests using a tag alone is sufficient.

Source: Google Cloud

"Configure network tags"

cloud.google.com/vpc/docs/add-remove-network-tags.

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE