Your company is deploying a multi-tier web application on Google Kubernetes Engine (GKE) with a regional cluster. You need to design network policies to allow traffic only from the frontend pods to the backend pods on port 8080. Which of the following is the most secure and recommended approach?
Trap 1: Configure Private Service Connect to restrict access to backend…
Private Service Connect is for private access to managed services, not pod isolation.
Trap 2: Create VPC firewall rules to allow ingress from frontend pods to…
VPC firewall rules apply to VM instances, not Kubernetes pods.
Trap 3: Use Cloud Armor security policies to restrict traffic to backend…
Cloud Armor is for HTTP(S) load balancing, not pod-to-pod traffic.
- A
Define a Kubernetes NetworkPolicy that allows ingress to backend pods from frontend pods on port 8080.
NetworkPolicy is the native Kubernetes mechanism for pod-level traffic control.
- B
Configure Private Service Connect to restrict access to backend pods.
Why wrong: Private Service Connect is for private access to managed services, not pod isolation.
- C
Create VPC firewall rules to allow ingress from frontend pods to backend pods on port 8080.
Why wrong: VPC firewall rules apply to VM instances, not Kubernetes pods.
- D
Use Cloud Armor security policies to restrict traffic to backend pods.
Why wrong: Cloud Armor is for HTTP(S) load balancing, not pod-to-pod traffic.