Exam Professional Cloud Security Engineer topic 1 question 49 discussion

A or B. Leaning towards A You have a deadline you cannot develop a new app so you have to lift and shift.

The best option to complete the migration of the legacy application without putting your environment at risk is: B. Migrate the application into an isolated project using a “Lift & Shift” approach in a custom network. Disable all traffic within the VPC and look at the Firewall logs to determine what traffic should be allowed for the application to work properly. Explanation: Disable All Traffic: By disabling all traffic initially, you can ensure that no unauthorized traffic can access the application. This setup provides a secure environment. Using Firewall Logs: This approach allows you to monitor what traffic is necessary for the application to function correctly after migration. You can analyze the Firewall logs to identify which ports and protocols are being used by the application, enabling you to refine your security configurations based on actual usage.

Option C:

B is not correct because Disabling all traffic within the VPC is too restrictive and hinders even initial testing. Analyzing firewall logs without any initial connectivity wouldn't be feasible.

Option B, C, and D involve making significant architectural changes (refactoring into microservices or using Cloud Functions) and disabling traffic, which might introduce complexities and risks. These options are more suitable when you have a better understanding of the application's requirements and can make informed decisions about its architecture and network policies. In your current scenario, option A provides a safe starting point for the migration process while you gather more information about the application's behavior.

B. This option is similar to the first one but is more secure initially. The application is also migrated using a "Lift & Shift" approach. However, instead of enabling all internal TCP traffic, all traffic within the VPC is disabled. The Firewall logs (not exactly the most ideal tool but can give insights) are then used to determine what traffic is needed. This is more secure as it takes a deny-all-first approach.

Option A is a valid approach, but it is not as secure as Option C. In Option A, the application is still exposed to the network, even if it is in an isolated project. This means that if someone were to find a vulnerability in the application, they could potentially exploit it to gain access to the application. In Option C, the application is isolated from the network by being deployed to a GKE cluster. This means that even if someone were to find a vulnerability in the application, they would not be able to exploit it to gain access to the application. Additionally, Option C is more scalable and resilient than Option A. This is because a GKE cluster can be scaled up or down as needed, and it is more resistant to failure than a single VM. Therefore, Option C is the more secure and scalable approach. However, if you are short on time, Option A may be a better option.

A is a best option, remember you have the hurriest of the contract. Making microservices taking too long and have to know the detailed application architecture. Answer A.

The answer is A. In real life you would NOT lift and shift an application especially not knowing the ports it uses nor any documentation. That'd be disruptive and cause an outage until you figured it out. You'd be out of a job! The question also clearly states "You want to complete the migration without putting your environment at risk!" You'd have to refactor the application in parallel and makes sense if it's a legacy application. You'd want to modernize it with microservices so it can take advantage of all cloud features. If you simply lift and shift, the legacy app cannot take advantage of cloud services so what's the point? You still have the same problems except now you've moved it from on-prem to the cloud.

Answer is B. even if you disable all traffic within VPC, the request to the application will hit the firewall and will get a deny ingress response. that way we get to know what port is It coming in. the same can be determined with allowing all traffic in (which exposes your application to the world ) but the question ends with "without putting your environment at risk"

B, as A temporarily opens vulnerable paths in the system.

Answer is A.. You need VPC Flow Logs not "Firewall logs" stated in B

A since B disrupts the system. C and D are out of question if it's supposed to "just work".

The difference between A and B is that, in the first, you allow all traffic so the app will work after migration and you can investigate which ports should be open and then take actions. If you go with B you will have a disruption window until figure out all ports needed but will not have any port unneeded port. So... if you asked to avoid disruption go with A and (as in this question) you are asked about security, go with B

A. Migrate the application into an isolated project using a "Lift & Shift" approach. Enable all internal TCP traffic using VPC Firewall rules. Use VPC Flow logs to determine what traffic should be allowed for the application to work properly.

These questions are no more relevant as google has changed exam and made it really challenging now.

B - VPC Flow Logs Firewall logging only covers TCP and UDP, you explicitly don't know what the app does. That limitation is also important to the fact that implied deny all ingress and deny all egress rules are not covered by Firewall Logging. Plus you have to enable Firewall Logging per rule, so you'd have to have a rule for everything in advance - chicken and egg.... you don't know what is going on, so how could you!?