Google Cloud Professional Cloud Security Engineer Practice Exam

How can a team ensure that only the frontend application can access the backend database?

• A. Create a private network with no internet access
• B. Set up an ingress firewall rule allowing access from the application only
• C. Implement VPN for all database access
• D. Utilize VPC network segmentation

The correct answer is: Set up an ingress firewall rule allowing access from the application only

The option of setting up an ingress firewall rule allowing access from the application only is a robust and effective method to ensure that only the frontend application can communicate with the backend database. By configuring specific rules that restrict traffic to the allowed sources, the firewall can prevent unauthorized access from any other entities on the network or the internet. This way, the security team can define precise IP addresses or ranges that correspond to the frontend application's servers, ensuring that only legitimate requests are processed by the backend database. Implementing such targeted ingress rules enhances security by minimizing the attack surface and thereby protecting sensitive database information from any unwanted exposure. Other methods mentioned, like creating a private network or utilizing VPC network segmentation, may theoretically reduce exposure but do not provide the fine-tuned access control necessary for ensuring that only the frontend application has database access. While these options contribute to an overall secure architecture, they do not specifically enforce access restrictions to the same granular level as ingress firewall rules. Implementing a VPN might secure connections to the database; however, it could also complicate accessibility and management, especially if multiple frontends or environments are involved.