Google Cloud Professional Cloud Security Engineer Practice Exam

What action should be taken to allow Compute Engine instances limited internet access while reaching out for security updates?

• A. Remove all egress firewall rules
• B. Create an egress firewall rule allowing traffic to the repository's CIDR range
• C. Change the priority of the deny rule to allow internet access
• D. Use a Cloud NAT gateway for internet access

The correct answer is: Create an egress firewall rule allowing traffic to the repository's CIDR range

To allow Compute Engine instances to have limited internet access specifically for the purpose of reaching out for security updates, creating an egress firewall rule that allows traffic to the repository's CIDR range is essential. This approach enables the instances to communicate with the necessary update repositories over the internet while maintaining a level of security by restricting access to only those specific IP ranges associated with the repositories. By implementing this egress firewall rule, you ensure that only the required traffic can flow out from the instances, thereby minimizing the attack surface and reducing the risk of unwanted outbound traffic. This solution strikes a balance between ensuring that the instances can receive critical updates and fostering a secure environment by controlling wherein outbound communications are allowed. In contrast, removing all egress firewall rules would lead to unrestricted internet access, which could increase vulnerability. Adjusting the priority of a deny rule would not create a specific allowance for traffic needed to fetch updates, and using a Cloud NAT gateway, while it could facilitate outbound internet access, does not directly address the need for specific outbound controls unless paired with proper firewall rules. Thus, the recommended action focuses on maintaining a secure and controlled environment while allowing necessary update traffic.