Exam Professional Cloud DevOps Engineer topic 1 question 101 discussion

Option D uses fewest number of steps.

Enabling logging on the firewall rule (Option C) is the best first step. It’s a single, direct GCP configuration change. It logs every connection to the API port, capturing the client’s IP address. It requires no changes to the application or additional agents.

IP's can be missed using flow logs. Right answer is C: VPC Flow Logs samples packets using a primary sampling rate. The primary sampling rate is dynamic and varies depending on the load of the physical host running the VM or gateway at the time of sampling. The probability of sampling any single IP connection increases with the volume of packets. You can't control the primary flow log sampling process or adjust the primary samplSource: https://cloud.google.com/vpc/docs/flow-logs#log-sampling

Since there is already a firewall rule allowing access from 0.0.0.0/0, enabling firewall rule logging will capture details of every incoming connection, including the source IP address. This is the simplest approach and requires only one step (enabling logging on the existing firewall rule).

VPC logs is sample log collected at intervals

The correct option is C: Enable logging on the firewall rule. Explanation: Firewall rule logging allows you to capture the traffic that matches a specific firewall rule, including details such as the source IP address. Since your firewall rule allows access to the API port from 0.0.0.0/0, enabling logging on this rule will log the IP addresses of incoming connections to the API. This is the most straightforward way to log the IP addresses accessing the API using the fewest steps, as it leverages existing firewall configurations and integrates with Cloud Logging. D: VPC Flow Logs provide network-level logging for traffic flowing within the VPC but would log all traffic in the subnet. While it could work, it's a more complex solution compared to enabling firewall rule logging directly. Therefore, C provides the quickest and simplest method to log IP addresses accessing the API.

C) Enabling Logging of firewall rules

C is correct. VPC Flows logs can show source IP addresses, but they sample packets, do not provide the level of detail about individual API calls compared to firewall rule logging.

Be careful. The question states "each IP address that accesses the API". VPC Flow Logs is sampling records: "VPC Flow Logs records a sample of network flows sent from and received by VM instances, including instances used as GKE nodes. These logs can be used for network monitoring, forensics, real-time security analysis, and expense optimization." Source: https://cloud.google.com/vpc/docs/using-flow-logs C. Is the correct answer.

Choose option D. To configure Cloud Logging to log each IP address accessing the API with the fewest steps in a Compute Engine environment using an internal TCP/UDP load balancer, the first step would be to enable VPC Flow Logs on the subnet. That will allows you to capture network flow information, including source and destination IP addresses, as traffic passes through the load balancer. VPC Flow Logs provide detailed visibility into network activity without requiring modifications to individual instances or the installation of additional agents. Enabling VPC Flow Logs is a straightforward and efficient way to capture the necessary information for logging IP addresses accessing the API in a Compute Engine environment.

D. Enable VPC Flow Logs on the subnet. This will capture the network traffic details you need for logging in Cloud Logging without requiring additional configurations on the instances or firewall rules.