You are designing a multi-tier application with a frontend and backend. The frontend instances are in subnet A (10.0.1.0/24), and the backend instances are in subnet B (10.0.2.0/24). Both subnets are in the same VPC. You want to allow the frontend to communicate with the backend on TCP port 8080, but the backend must not be able to initiate connections to the frontend. Additionally, the backend must be able to send patches to the internet. Which set of firewall rules should you implement?
Correct: Ingress on backend allows frontend-initiated traffic only. Egress on backend allows backend to reach internet for patches. No rule allows backend to initiate to frontend.
Why this answer
Option B is correct because the frontend in subnet A initiates connections to the backend on TCP port 8080, so an ingress rule on the backend allowing traffic from subnet A permits this. An egress rule on the backend allowing all traffic to the internet enables patch downloads. This setup prevents the backend from initiating connections to the frontend, as no egress rule on the backend targets the frontend, and no ingress rule on the frontend allows unsolicited traffic from the backend.
Exam trap
Google Cloud often tests the distinction between ingress and egress rules and the direction of traffic flow; the trap here is that candidates mistakenly place the ingress rule on the frontend (thinking it needs to 'receive' the connection) instead of on the backend, which actually receives the connection from the frontend.
How to eliminate wrong answers
Option A is wrong because it places the ingress rule on the frontend, which would allow the backend to initiate connections to the frontend, violating the requirement that the backend must not initiate connections to the frontend; also, service accounts are not typically used in VPC firewall rules for subnet-level traffic. Option C is wrong because it places the ingress rule on the frontend allowing traffic from subnet B, which would permit the backend to initiate connections to the frontend, again violating the requirement. Option D is wrong because it denies all egress traffic from the frontend, which would block the frontend from sending requests to the backend (since egress is denied), and the backend still needs an egress rule to reach the internet for patches, which is missing.