Bird
Raised Fist0
GCPcloud~20 mins

Firewall rule components (target, source, protocol) in GCP - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
Firewall Rule Mastery
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
2:00remaining
Identify the source in a GCP firewall rule

In a Google Cloud firewall rule, which component specifies where the incoming traffic originates from?

AThe target specifies the source IP addresses or ranges.
BThe source specifies the IP addresses or ranges from which traffic is allowed or denied.
CThe protocol defines the source of the traffic.
DThe destination specifies the source IP addresses.
Attempts:
2 left
💡 Hint

Think about where the traffic comes from before it reaches your resources.

Configuration
intermediate
2:00remaining
Determine the target of a firewall rule

Which part of a GCP firewall rule defines the instances or resources that the rule applies to?

AThe destination IP ranges.
BThe protocol and ports.
CThe source IP ranges.
DThe target tags or service accounts.
Attempts:
2 left
💡 Hint

Think about which virtual machines or resources the rule protects.

service_behavior
advanced
2:00remaining
Effect of protocol specification in firewall rules

What happens if a GCP firewall rule specifies tcp as the protocol but traffic arrives using udp?

AThe traffic is allowed because the rule applies to all protocols by default.
BThe traffic is allowed only if the ports match.
CThe traffic is denied because the protocol does not match the rule's specification.
DThe traffic is logged but neither allowed nor denied.
Attempts:
2 left
💡 Hint

Consider how firewall rules filter traffic by protocol type.

security
advanced
2:00remaining
Security risk of overly broad source ranges

What is a potential security risk of setting the source IP range to 0.0.0.0/0 in a GCP firewall rule?

AIt allows traffic from any IP address, increasing exposure to attacks.
BIt restricts access to only local network traffic.
CIt blocks all incoming traffic.
DIt only allows traffic from private IP addresses.
Attempts:
2 left
💡 Hint

Think about what 0.0.0.0/0 means in networking.

Architecture
expert
3:00remaining
Designing firewall rules for multi-tier applications

You have a multi-tier application with web, app, and database layers in GCP. Which firewall rule setup best isolates the database layer from direct internet access while allowing the app layer to communicate with it?

ASet the database layer's firewall rule to allow traffic only from the app layer's network tags on required ports.
BAllow the web layer to access the database layer directly on all ports.
CAllow all traffic from <code>0.0.0.0/0</code> to the database layer on all ports.
DBlock all traffic to the database layer.
Attempts:
2 left
💡 Hint

Consider the principle of least privilege and network segmentation.

Practice

(1/5)
1. What does the source component specify in a GCP firewall rule?
easy
A. The type of communication protocol allowed
B. The machines that the rule applies to
C. The IP addresses or ranges where traffic originates
D. The priority of the firewall rule

Solution

  1. Step 1: Understand the role of source in firewall rules

    The source defines where the incoming traffic comes from, such as specific IP addresses or ranges.

  2. Step 2: Differentiate source from target and protocol

    The target specifies which machines are affected, and protocol defines the communication type, so source is about origin.

  3. Final Answer:

    The IP addresses or ranges where traffic originates -> Option C

  4. Quick Check:

    Source = traffic origin [OK]
Hint: Source means where traffic comes from [OK]
Common Mistakes:
  • Confusing source with target machines
  • Mixing source with protocol type
  • Thinking source is about rule priority
2. Which of the following is the correct way to specify a protocol in a GCP firewall rule?
easy
A. "tcp"
B. tcp
C. protocol: tcp
D. "protocol:tcp"

Solution

  1. Step 1: Review GCP firewall rule syntax for protocol

    Protocols are specified as strings, so they must be enclosed in quotes like "tcp" or "udp".

  2. Step 2: Identify correct syntax among options

    "tcp" uses quotes correctly. tcp lacks quotes, protocol: tcp and "protocol:tcp" include extra text or wrong format.

  3. Final Answer:

    "tcp" -> Option A

  4. Quick Check:

    Protocol strings need quotes [OK]
Hint: Protocol names must be in quotes [OK]
Common Mistakes:
  • Omitting quotes around protocol
  • Adding extra text inside protocol string
  • Using incorrect syntax like key:value inside quotes
3. Given this firewall rule snippet:
{"sourceRanges": ["192.168.1.0/24"], "targetTags": ["web-server"], "allowed": [{"IPProtocol": "tcp", "ports": ["80"]}]}

Which machines will this rule apply to?
medium
A. Machines tagged with "web-server"
B. All machines in the network
C. Machines with IP in 192.168.1.0/24
D. Machines allowing TCP on port 80

Solution

  1. Step 1: Identify the target component in the rule

    The rule uses "targetTags": ["web-server"], meaning it applies only to machines tagged "web-server".

  2. Step 2: Understand sourceRanges and allowed fields

    SourceRanges limits traffic origin; allowed defines protocol and ports. TargetTags define which machines are affected.

  3. Final Answer:

    Machines tagged with "web-server" -> Option A

  4. Quick Check:

    TargetTags = affected machines [OK]
Hint: TargetTags specify affected machines [OK]
Common Mistakes:
  • Confusing sourceRanges with target machines
  • Thinking sourceRanges limits target machines
  • Assuming all machines are affected
4. You wrote this firewall rule:
{"sourceRanges": ["10.0.0.0/16"], "targetTags": ["db-server"], "allowed": [{"IPProtocol": tcp, "ports": ["5432"]}]}

Why does this rule fail to deploy?
medium
A. Incorrect sourceRanges format
B. Ports must be numbers, not strings
C. targetTags must be IP addresses
D. Missing quotes around protocol name "tcp"

Solution

  1. Step 1: Check the protocol field syntax

    The protocol name "tcp" must be a string enclosed in quotes. Here, tcp is unquoted, causing syntax error.

  2. Step 2: Verify other fields

    sourceRanges format is correct, targetTags accept tags, ports can be strings representing port numbers.

  3. Final Answer:

    Missing quotes around protocol name "tcp" -> Option D

  4. Quick Check:

    Protocol names need quotes [OK]
Hint: Always quote protocol names like "tcp" [OK]
Common Mistakes:
  • Leaving protocol unquoted
  • Confusing tags with IP addresses
  • Using numeric ports without quotes (allowed but inconsistent)
5. You want to allow HTTP traffic only from the IP range 203.0.113.0/24 to all VMs tagged "frontend" using TCP port 80. Which firewall rule configuration is correct?
hard
A. {"sourceRanges": ["203.0.113.0/24"], "targetTags": ["frontend"], "allowed": [{"IPProtocol": "tcp"}]}
B. {"sourceRanges": ["203.0.113.0/24"], "targetTags": ["frontend"], "allowed": [{"IPProtocol": "tcp", "ports": ["80"]}]}
C. {"sourceRanges": ["203.0.113.0/24"], "targetTags": ["backend"], "allowed": [{"IPProtocol": "udp", "ports": ["80"]}]}
D. {"sourceRanges": ["0.0.0.0/0"], "targetTags": ["frontend"], "allowed": [{"IPProtocol": "tcp", "ports": [80]}]}

Solution

  1. Step 1: Match sourceRanges to the required IP range

    The correct sourceRanges ["203.0.113.0/24"] matches the requirement, eliminating configurations using ["0.0.0.0/0"].

  2. Step 2: Check targetTags and allowed protocol/ports

    {"sourceRanges": ["203.0.113.0/24"], "targetTags": ["frontend"], "allowed": [{"IPProtocol": "tcp", "ports": ["80"]}]} targets "frontend" and allows TCP on port "80" as strings, which is correct. {"sourceRanges": ["203.0.113.0/24"], "targetTags": ["frontend"], "allowed": [{"IPProtocol": "tcp"}]} lacks ports, so incomplete.

  3. Step 3: Verify other options

    {"sourceRanges": ["0.0.0.0/0"], "targetTags": ["frontend"], "allowed": [{"IPProtocol": "tcp", "ports": [80]}]} allows all IPs (0.0.0.0/0), not restricted. {"sourceRanges": ["203.0.113.0/24"], "targetTags": ["backend"], "allowed": [{"IPProtocol": "udp", "ports": ["80"]}]} targets "backend" and uses UDP, both incorrect.

  4. Final Answer:

    {"sourceRanges": ["203.0.113.0/24"], "targetTags": ["frontend"], "allowed": [{"IPProtocol": "tcp", "ports": ["80"]}]} -> Option B

  5. Quick Check:

    Correct source, target, protocol, and port [OK]
Hint: Match source, target tag, protocol, and port exactly [OK]
Common Mistakes:
  • Using wrong IP range or all IPs
  • Targeting wrong VM tags
  • Missing ports in allowed protocols
  • Using wrong protocol like UDP for HTTP