How should the customer ensure authenticated network separation between the different tiers of the application?

A customer wants to deploy a large number of 3-tier web applications on Compute Engine.

How should the customer ensure authenticated network separation between the different tiers of the application?
A . Run each tier in its own Project, and segregate using Project labels.
B . Run each tier with a different Service Account (SA), and use SA-based firewall rules.
C . Run each tier in its own subnet, and use subnet-based firewall rules.
D . Run each tier with its own VM tags, and use tag-based firewall rules.

Answer: B

Explanation:

"Isolate VMs using service accounts when possible" "even though it is possible to uses tags for target filtering in this manner, we recommend that you use service accounts where possible. Target tags are not access-controlled and can be changed by someone with the instance Admin role while VMs are in service. Service accounts are access-controlled, meaning that a specific user must be explicitly authorized to use a service account. There can only be one service account per instance, whereas there can be multiple tags. Also, service accounts assigned to a VM can only be changed when the VM is stopped." https://cloud.google.com/solutions/best-practices-vpc-design#isolate-vms-service-accounts

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments