You have created a firewall with rules that only allow traffic over HTTP, HTTPS, and SSH ports. While testing, you specifically try to reach the server over multiple ports and protocols; however, you do not see any denied connections in the firewall logs. You want to resolve the issue.
What should you do?
A. Enable logging on the default Deny Any Firewall Rule.
B. Enable logging on the VM Instances that receive traffic.
C. Create a logging sink forwarding all firewall logs with no filters.
D. Create an explicit Deny Any rule and enable logging on the new rule.
D
https://cloud.google.com/vpc/docs/firewall-rules-logging?hl=en#specifications
D
Agree D: https://cloud.google.com/vpc/docs/firewall-rules-logging#egress_deny_example
D is the answer. Since GCP firewalls are deny based and logging feature need a matching rule you have to define an explicit deny and enable logging or that rule.