Definitely B. It says you "believe" you have a bad actor, and want to confirm this "while minimizing disruption to your legitimate users." [A] would block the traffic suspected IP, causing disruption to a legitimate user if you were wrong about the actor [B] Correct - You can log the requests by Client IP, and Preview Mode will not cause disruption to anyone, while you investigate. [C] Global Load balancers are Proxies, as Jordi says. This could work for Network load balancers, which are not proxies, but they are regional and not global. [D] As above, even if you could block from an NLB, it would cause disruption to someone.

Exam on 2024-05-02

Cloud Armor Policy Rule: Cloud Armor is a security service in Google Cloud that provides defenses against web-based threats. When you create a Cloud Armor Policy rule, you can specify conditions under which traffic should be denied. Enable Preview Mode: Preview mode is a feature in Cloud Armor that allows you to simulate the impact of the rules without enforcing them. Enabling preview mode means that the rules will not actively block traffic; instead, they will generate logs for matched traffic. Review Necessary Logs: With preview mode enabled, you can review the logs to identify potential threats and gather information about the traffic without immediately disrupting legitimate users.

B. Create a Cloud Armor Policy rule that denies traffic, enable preview mode, and review necessary logs. This option allows you to create a Cloud Armor Policy rule that denies traffic from the potential malicious actor while minimizing disruption to legitimate users. Enabling preview mode allows you to test the rule and see how it would impact traffic without actually enforcing it. By reviewing necessary logs, you can verify if the identified client IP address is indeed the malicious actor or not. Once you have confirmed the malicious actor's IP address, you can then enforce the Cloud Armor Policy rule to block their traffic and prevent any further potential threats.

B: Preview mode You can preview the effects of a rule without enforcing it. In preview mode, actions are noted in Cloud Monitoring. You can choose to preview individual rules in a security policy, or you can preview every rule in the policy. You can enable preview mode for a rule by using the Google Cloud CLI and the --preview flag of gcloud compute security-policies rules update.

B - You can log the requests by Client IP, and Preview Mode will not cause disruption to anyone, while you investigate.

Google Cloud Platform (GCP) provides a controlled way to debug these rules with real traffic. The best part is that users are not affected, since we can select them in “preview only” mode. This means that every time one of these rules is triggered, it will simply be logged and let the traffic through. Obviously, by activating preview mode, we will not be securing our platform in any way, Still, in this way, we are able to avoid false positives and gradually add each of these rules. https://www.makingscience.com/blog/protect-your-websites-and-applications-with-google-cloud-armor-waf/

The correct answer is B

The Global External Load Balancer is a proxy, so the only way to see origin its is from Cloud Armor. Answer is B

[B] Correct - You can log the requests by Client IP, and Preview Mode will not cause disruption to anyone, while you investigate.

Answer is : B

https://jayendrapatil.com/tag/security-policies/. This guy says B too.

B for sure. It is possible to deny traffic at VM level with firewall rules (firewall rules won't apply to a LB; LB will always allow a request unless there is a Cloud Armor policy). But firewall policies do not have a preview mode, only Cloud Armor does!

I voted for B https://cloud.google.com/armor/docs/security-policy-overview#preview_mode

B is the one

It is "D". The malicious IP Address is know and with D the FW rule blocks only a sigle IP

Ans - B