You have an application where the frontend is deployed on a managed instance group in subnet A and the data layer is stored on a mysql Compute Engine virtual machine (VM) in subnet B on the same VPC.
Subnet A and Subnet B hold several other Compute Engine VMs.
You only want to allow thee application frontend to access the data in the application's mysql instance on port 3306
What should you do?
Click on the arrows to vote for the correct answer
A. B. C. D. C. F.B.
To only allow the frontend of an application to access the data stored in a MySQL Compute Engine virtual machine on port 3306, we need to configure the appropriate firewall rules and network tags.
Option A suggests configuring an ingress firewall rule that allows communication from the source IP range of subnet A to the tag "data-tag" that is applied to the MySQL Compute Engine VM on port 3306. This option is incorrect because it allows any VM in subnet A to access the MySQL instance instead of only allowing the frontend VM.
Option B suggests configuring an ingress firewall rule that allows communication from the frontend's unique service account to the unique service account of the MySQL Compute Engine VM on port 3306. This option is incorrect because service accounts are used for authentication and authorization but not for network traffic rules.
Option C suggests configuring network tags "fe-tag" and "data-tag" to be applied to all instances in subnet A and subnet B, respectively. This option is partially correct because it establishes the network tags necessary to set up the firewall rules.
Option D suggests configuring an egress firewall rule that allows communication from Compute Engine VMs tagged with "data-tag" to destination Compute Engine VMs tagged with "fe-tag." This option is incorrect because it specifies egress rules for outbound traffic, whereas we need to configure ingress rules for inbound traffic to the MySQL instance.
Option F suggests configuring an ingress firewall rule that allows communication from Compute Engine VMs tagged with "fe-tag" to destination Compute Engine VMs tagged with "data-tag." This option is the correct solution because it specifies the necessary firewall rule to allow inbound traffic from only the frontend VM to the MySQL Compute Engine VM.
Therefore, the correct answer is F: Configure a network tag "fe-tag" to be applied to all instances in subnet A and a network tag "data-tag" to be applied to all instances in subnet B. Then configure an ingress firewall rule that allows communication from Compute Engine VMs tagged with "fe-tag" to destination Compute Engine VMs tagged with "data-tag."