In order to provide subnet level isolation, you want to force instance-A in one subnet to route through a security appliance, called instance-B, in another subnet. What should you do?
A.
Create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with no tag.
B.
Create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with a tag applied to instance-A.
C.
Delete the system-generated subnet route and create a specific route to instance-B with a tag applied to instance-A.
D.
Move instance-B to another VPC and, using multi-NIC, connect instance-B's interface to instance-A's network. Configure the appropriate routes to force traffic through to instance-A.
It is B for me:
https://cloud.google.com/vpc/docs/routes#subnet-routes
Custom static routes can apply to all instances or specific instances. Static routes with a tag attribute apply to instances that have that same network tag. If the route doesn't have a network tag, the route applies to all instances in the network.
The best solution is B: Create a custom route with a more specific route than the system-generated one, and use a tag applied to instance-A. This ensures that only instance-A's traffic routes through instance-B without affecting other traffic within the subnet.
The answer is B. Lots of discussion about whether you can create a more specific route and whether the tag is necessary. The answer is somewhat in the question: Yes, use a tag applied to instance-A because it allows you to apply the more specific route to just the instance(s) with that tag. The question doesn't say ALL instances in the subnet, just instance-A. As for creating a more specific route: Yes, you can do this and while the documentation is somewhat confusing on this topic, you only need to focus on the static route documentation to be sure: https://cloud.google.com/vpc/docs/static-routes
To force instance-A in one subnet to route through a security appliance, called instance-B, in another subnet, you need to create a more specific route than the system-generated subnet route. The next hop of the more specific route should point to instance-B with no tag.
Here is an example of how to create a more specific route than the system-generated subnet route:
gcloud compute routes create my-route \
--destination-range=10.0.0.0/24 \
--next-hop-instance=instance-b \
--next-hop-instance-zone=us-central1-a \
--priority=100
This command will create a route with a destination range of 10.0.0.0/24 and a next hop of instance-B. The priority of the route is set to 100, which is higher than the priority of the system-generated subnet route. This means that the more specific route will be used to route traffic from instance-A to instance-B.
The other options are incorrect because:
B. Create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with a tag applied to instance-A. This is not necessary. You do not need to apply a tag to instance-A in order to force traffic to route through instance-B.
C. Delete the system-generated subnet route and create a specific route to instance-B with a tag applied to instance-A. This is not necessary. You can simply create a more specific route than the system-generated subnet route.
D. Move instance-B to another VPC and, using multi-NIC, connect instance-B's interface to instance-A's network. Configure the appropriate routes to force traffic through to instance-A. This is a more complex solution than simply creating a more specific route.
Therefore, the best option is to create a more specific route than the system-generated subnet route, pointing the next hop to instance-B with no tag.
It is B for me: https://cloud.google.com/vpc/docs/routes#subnet-routes Custom static routes can apply to all instances or specific instances. Static routes with a tag attribute apply to instances that have that same network tag. If the route doesn't have a network tag, the route applies to all instances in the network.
Right answer MUST be C! You can not create a more specific VPC route, it's stated right here:
https://cloud.google.com/load-balancing/docs/internal/troubleshooting-ilb#invalid-dest-range
Mods please delete my comment. I have tested the steps in answer B and this will work but only if both VMs had IpForward enabled at the time of creation.
Right now this is the warning I'm getting at the route, after testing scenario from answer B:
"Your source and destination VM instances must have canIpForward enabled."
The route is created successfully, this warning is just attached to it with a small warning symbol.
The ANSWER should be D, You can not put a third part appliance(firewall) within a VPC, it has to be 2 seperate VPC and with a multi nic VM this scenario is achievable.
Answer is D.
This is a typical Arch. Design for shared VPC host project where you add your Security Appliance to control traffic between service projects [ E-W traffic]
Sorry, Answer D is incorrect... That answer says: ...Configure the appropriate routes to force traffic through to instance-A. Instance A is NOT the Security appliance.. unless its a typo, and it meant to say Instance B.
But Answer D shows the Instance A as the Security appliance, not Instance B...
The questions ask for traffic to go from Instance-A to Instance-B... Answer D has it the other way around...
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
gless
Highly Voted 4 years, 4 months agoAzureDP900
2 years, 5 months agosaraali
Most Recent 2 months, 2 weeks ago3fd692e
6 months, 4 weeks agothewalker
1 year agothewalker
1 year agocrg63
1 year, 6 months agodesertlotus1211
1 year, 2 months agodidek1986
1 year, 8 months agotnar140
2 years agodesertlotus1211
1 year, 11 months agodesertlotus1211
1 year, 2 months agopk349
2 years, 3 months agopfilourenco
2 years, 4 months ago[Removed]
2 years, 6 months agoMr_MIXER007
2 years, 7 months agogcpengineer
1 year, 8 months agosmall1_small2
2 years, 8 months agoRaz0r
2 years, 9 months agoRaz0r
2 years, 9 months agopapaliu
2 years, 11 months agoLEGCPLele
3 years, 1 month agodesertlotus1211
3 years, 4 months agodesertlotus1211
3 years, 4 months agomatmuh
3 years, 4 months agodesertlotus1211
3 years, 4 months ago