Q: 14
A customer has an analytics workload running on Compute Engine that should have limited internet
access.
Your team created an egress firewall rule to deny (priority 1000) all traffic to the internet.
The Compute Engine instances now need to reach out to the public repository to get security
updates. What should your team do?
Options
Discussion
Option B is correct here. Had something like this in a mock and the allow rule must have a lower priority value than the deny (so less than 1000). Also, GCP firewall only supports IP/CIDR, not hostnames. If anyone has seen otherwise, let me know but pretty sure about B.
B or maybe D if they ever switch to hostnames, but per official Google docs and practice test questions, B comes up every time for firewall scenarios like this. Review the official guide's section on firewall rule order for clarity.
Not sure why everyone skips A, that trap about priority is tricky but I think it's A here.
B , only CIDR is allowed for firewall rules right now.
Its A, but does "limited internet access" mean certain URLs only? In some exam guides they mention using CIDR instead of hostnames, so if the repository changed to an IP address requirement, would D be better? Would check official doc examples too.
Be respectful. No spam.
