Bird
Raised Fist0
GCPcloud~20 mins

Firewall rules concept in GCP - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
Firewall Rules Mastery
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
2:00remaining
Understanding Firewall Rule Priority in GCP

In Google Cloud Platform, firewall rules have a priority number. What happens when two firewall rules apply to the same VM and have conflicting actions but different priorities?

AThe rule with the lower priority number (smaller number) is applied.
BBoth rules are applied, and the VM blocks traffic if either rule blocks it.
CThe rule with the higher priority number (larger number) is applied.
DThe rule created first is applied regardless of priority.
Attempts:
2 left
💡 Hint

Think about priority as a ranking where smaller numbers mean higher importance.

service_behavior
intermediate
2:00remaining
Effect of Firewall Rule Direction on Traffic

You create a firewall rule in GCP with direction set to INGRESS. Which traffic does this rule control?

ATraffic inside the VM itself.
BTraffic leaving the VM to the internet.
CTraffic between two VMs in different regions.
DTraffic entering the VM from outside sources.
Attempts:
2 left
💡 Hint

Ingress means 'coming in'.

Configuration
advanced
2:00remaining
Firewall Rule to Allow SSH Access Only from Specific IP

You want to create a GCP firewall rule that allows SSH (port 22) access only from the IP address 203.0.113.5. Which configuration is correct?

AAllow egress TCP traffic on port 22 to destination IP range 203.0.113.5/32.
BAllow ingress UDP traffic on port 22 from source IP range 203.0.113.5/32.
CAllow ingress TCP traffic on port 22 from source IP range 203.0.113.5/32.
DAllow ingress TCP traffic on port 22 from source IP range 0.0.0.0/0.
Attempts:
2 left
💡 Hint

SSH uses TCP protocol and port 22. The source IP must be exact.

security
advanced
2:00remaining
Impact of a Firewall Rule with Deny Action and High Priority

You create a firewall rule with deny action, priority 100, and source IP range 10.0.0.0/8. Another rule allows all traffic with priority 200. What will happen to traffic from 10.0.0.5?

ATraffic from 10.0.0.5 is allowed because the allow rule has lower priority number.
BTraffic from 10.0.0.5 is denied because the deny rule has higher priority (lower number).
CTraffic from 10.0.0.5 is allowed because deny rules are ignored if allow rules exist.
DTraffic from 10.0.0.5 is dropped randomly due to conflicting rules.
Attempts:
2 left
💡 Hint

Remember that lower priority numbers mean higher priority and deny rules block traffic.

Architecture
expert
3:00remaining
Designing Firewall Rules for Multi-Tier Application in GCP

You have a multi-tier application with web servers, app servers, and database servers in separate subnetworks. You want to allow web servers to talk to app servers on port 8080, app servers to talk to database servers on port 5432, and block all other traffic between tiers. Which firewall rule setup achieves this?

ACreate allow ingress rules on app servers for TCP port 8080 from web servers' subnet, allow ingress on database servers for TCP port 5432 from app servers' subnet, and deny all other traffic between subnets.
BCreate allow egress rules on web servers for TCP port 8080 to app servers' subnet, allow egress on app servers for TCP port 5432 to database servers' subnet, and allow all other traffic between subnets.
CCreate allow ingress rules on all servers for all ports from all subnets, then deny ingress on database servers for port 5432.
DCreate deny ingress rules on app servers and database servers for all ports, then allow ingress on web servers for port 8080.
Attempts:
2 left
💡 Hint

Think about controlling incoming traffic on each server tier from the correct source subnet and port.

Practice

(1/5)
1. What is the main purpose of a firewall rule in Google Cloud Platform?
easy
A. To control network traffic by allowing or blocking it based on defined conditions
B. To store data securely in the cloud
C. To monitor user activity logs
D. To automatically backup virtual machines

Solution

  1. Step 1: Understand what firewall rules do

    Firewall rules are designed to control network traffic by specifying which traffic is allowed or denied.

  2. Step 2: Identify the correct function in GCP context

    In GCP, firewall rules specifically allow or block traffic based on protocols, ports, and IP ranges.

  3. Final Answer:

    To control network traffic by allowing or blocking it based on defined conditions -> Option A

  4. Quick Check:

    Firewall rules control traffic = B [OK]
Hint: Firewall rules manage traffic access, not data or backups [OK]
Common Mistakes:
  • Confusing firewall rules with data storage
  • Thinking firewall rules monitor logs
  • Assuming firewall rules handle backups
2. Which of the following is the correct way to specify a firewall rule to allow TCP traffic on port 80 from any IP address in GCP?
easy
A. protocol: 'tcp', ports: ['80'], sourceRanges: ['0.0.0.0/0']
B. protocol: 'udp', ports: ['80'], sourceRanges: ['0.0.0.0/0']
C. protocol: 'tcp', ports: ['22'], sourceRanges: ['0.0.0.0/0']
D. protocol: 'icmp', ports: ['80'], sourceRanges: ['0.0.0.0/0']

Solution

  1. Step 1: Identify the protocol and port for HTTP traffic

    HTTP uses TCP protocol on port 80.

  2. Step 2: Check the source IP range

    '0.0.0.0/0' means any IP address, which matches the requirement.

  3. Final Answer:

    protocol: 'tcp', ports: ['80'], sourceRanges: ['0.0.0.0/0'] -> Option A

  4. Quick Check:

    TCP port 80 from any IP = A [OK]
Hint: HTTP uses TCP port 80; source 0.0.0.0/0 means all IPs [OK]
Common Mistakes:
  • Using UDP instead of TCP for HTTP
  • Specifying wrong port like 22
  • Using ICMP protocol for port-based rules
3. Given this firewall rule in GCP:
{"direction": "INGRESS", "allowed": [{"IPProtocol": "tcp", "ports": ["22"]}], "sourceRanges": ["192.168.1.0/24"]}

Which traffic will be allowed?
medium
A. UDP traffic on port 22 from IP 192.168.1.15
B. TCP traffic on port 22 from IP 192.168.1.15
C. TCP traffic on port 80 from IP 192.168.1.15
D. TCP traffic on port 22 from IP 10.0.0.5

Solution

  1. Step 1: Analyze the allowed protocol and port

    The rule allows TCP protocol on port 22 only.

  2. Step 2: Check the source IP range

    Only IPs in 192.168.1.0/24 are allowed, so 192.168.1.15 is included, but 10.0.0.5 is not.

  3. Final Answer:

    TCP traffic on port 22 from IP 192.168.1.15 -> Option B

  4. Quick Check:

    TCP port 22 from 192.168.1.x allowed = C [OK]
Hint: Match protocol, port, and source IP range exactly [OK]
Common Mistakes:
  • Allowing wrong port like 80
  • Allowing UDP instead of TCP
  • Ignoring source IP range restrictions
4. You created a firewall rule to allow TCP traffic on port 443 from IP range 10.0.0.0/16, but your VM instances cannot receive HTTPS traffic. What is the most likely mistake?
medium
A. The protocol should be UDP instead of TCP
B. The port number should be 80 instead of 443
C. The sourceRanges should be 0.0.0.0/0 to allow all traffic
D. The firewall rule direction is set to EGRESS instead of INGRESS

Solution

  1. Step 1: Understand traffic direction for incoming HTTPS

    HTTPS traffic comes into the VM, so firewall rule must be INGRESS.

  2. Step 2: Check the rule direction

    If the rule is EGRESS, it controls outgoing traffic, so incoming HTTPS is blocked.

  3. Final Answer:

    The firewall rule direction is set to EGRESS instead of INGRESS -> Option D

  4. Quick Check:

    Ingress needed for incoming traffic = D [OK]
Hint: Ingress rules allow incoming traffic; check direction [OK]
Common Mistakes:
  • Confusing ingress and egress directions
  • Changing port from 443 to 80 incorrectly
  • Opening sourceRanges too wide unnecessarily
5. You want to create a firewall rule that allows SSH (TCP port 22) access only from your office IP 203.0.113.5 and blocks all other SSH traffic. Which configuration achieves this securely?
hard
A. Allow TCP port 22 from 203.0.113.5 and deny TCP port 22 from 0.0.0.0/0
B. Allow TCP port 22 from 0.0.0.0/0 and deny TCP port 22 from 203.0.113.5
C. Allow TCP port 22 from 203.0.113.5 only, no other rules needed
D. Deny all TCP traffic and allow UDP port 22 from 203.0.113.5

Solution

  1. Step 1: Understand default firewall behavior

    By default, GCP denies all traffic unless explicitly allowed.

  2. Step 2: Allow only SSH from office IP

    Allowing TCP port 22 from 203.0.113.5 only permits SSH from that IP; no deny rule needed.

  3. Step 3: Avoid conflicting rules

    Adding deny rules can cause conflicts; simplest is to allow only the trusted IP.

  4. Final Answer:

    Allow TCP port 22 from 203.0.113.5 only, no other rules needed -> Option C

  5. Quick Check:

    Allow trusted IP only; default deny others = A [OK]
Hint: Allow trusted IP only; default deny blocks others [OK]
Common Mistakes:
  • Adding unnecessary deny rules causing conflicts
  • Allowing all IPs then trying to deny one
  • Using wrong protocol or port