Exam Professional Cloud Network Engineer topic 1 question 112 discussion

goto_next is better option.

Reading it twice, I guess D is correct as "delegate only the intra-VPC firewall rules to the respective departments" matches the "goto_next" parameter and departments are in charge of the flow of traffic within the own VPC

D is the correct answer

Using goto_next in the high-priority rule would simply pass the traffic to the next rule, which would then block it. This is functionally the same as having a single "deny all" rule

Answer is D: https://cloud.google.com/firewall/docs/firewall-policies "Hierarchical firewall policy rules have a new goto_next action that you can use to delegate connection evaluation to lower levels of the hierarchy" The use lower level firewall rules for Intra-VPC traffic

While both approaches aim to allow intra-VPC communication and block inter-VPC traffic, Option C directly allows traffic within the VPCs and then blocks any other traffic explicitly, providing a more straightforward and precise policy. Option D uses "goto_next," potentially requiring an additional rule to specifically block unwanted traffic, adding complexity to the policy. Therefore, Option C is a clearer and more straightforward approach for this scenario.

Option D as it will allow intra VPC firewall rules to be in place.

According to Google Cloud documentation, hierarchical firewall policies let you create and enforce a consistent firewall policy across your organization. You can assign hierarchical firewall policies to the organization as a whole or to individual folders. These policies contain rules that can explicitly deny or allow connections, as do Virtual Private Cloud (VPC) firewall rules. In addition, hierarchical firewall policy rules can delegate evaluation to lower-level policies or VPC network firewall rules with a goto_next action. Therefore, the correct answer is D. Create two hierarchical firewall policies per department’s folder with two rules in each: a high-priority rule that matches traffic from the private CIDRs assigned to the respective VPC and sets the action to goto_next, and another lower-priority rule that blocks traffic from any other source.

The correct answer is C. Option A and B are incorrect because they only create firewall rules to block traffic from any source, but do not delegate intra-VPC firewall rules to the respective departments. Option D is also incorrect because the "goto_next" action would not be appropriate for a blocking rule. The correct action for a blocking rule is "deny". Option C is the correct approach. It involves creating two hierarchical firewall policies per department's folder, each with two rules. The first high-priority rule matches traffic from the private CIDRs assigned to the respective VPC and sets the action to allow. The second lower-priority rule blocks traffic from any other source. This approach allows departments to control the intra-VPC firewall rules while blocking traffic between VPCs.

• D. Create two hierarchical firewall policies per department's folder with two rules in each: a high-priority rule that matches traffic from the private CIDRs assigned to the respective VPC and sets the action ***** to goto_next, and another lower-priority rule that blocks traffic from any other source. Hierarchical firewall policies let you create and enforce a consistent firewall policy across your organization. You can assign hierarchical firewall policies to the organization as a whole or to individual folders. These policies contain rules that can explicitly deny or allow connections, as do Virtual Private Cloud (VPC) firewall rules. In addition, hierarchical firewall policy rules can delegate evaluation to lower-level policies or VPC network firewall rules with a goto_next ***** action.

D is right Hierarchical firewall policy rules have a new goto_next action that you can use to delegate connection evaluation to lower levels of the hierarchy.

Correct answer - D Hierarchical firewall policy rules have a new goto_next action that you can use to delegate connection evaluation to lower levels of the hierarchy. https://cloud.google.com/vpc/docs/firewall-policies#:~:text=Hierarchical%20firewall%20policy%20rules%20have%20a%20new%20goto_next%20action%20that%20you%20can%20use%20to%20delegate%20connection%20evaluation%20to%20lower%20levels%20of%20the%20hierarchy.

Correct answer - D Hierarchical firewall policy rules have a new goto_next action that you can use to delegate connection evaluation to lower levels of the hierarchy. https://cloud.google.com/vpc/docs/firewall-policies#:~:text=Hierarchical%20firewall%20policy%20rules%20have%20a%20new%20goto_next%20action%20that%20you%20can%20use%20to%20delegate%20connection%20evaluation%20to%20lower%20levels%20of%20the%20hierarchy.

It's C: https://cloud.google.com/vpc/docs/firewall-policies

Controlling policy level folder is with Firewall Policy, so, A and B was wrong. Between C and D, I prefer C. There isn't action next_to like D said. Correct is C

in my opinion c is correct in this case