Exam Professional Cloud Security Engineer topic 1 question 6 discussion

Answer is A

This question is asking us about "Web application" ... You have to think directly in the WAF ... So first thing is Cloud Amor... If you keep reading this talk aboyt SYN, That's a TCP Protocol from L4 and VPC Frules are L3 (IP not transport layer)... A.

C and D are wrong. So its A or B. standard DDoS is fullfilled for both, but for A you need a load-balancer and it costs additional. In the question it is only 3-tier, which does not need a loadbalancer and it is specifically mentioned that the do not need the advanced secxurity, which would come with cloud armor at additional costs. That only leaves B.

Answer is A.

Answer is B

I will still stick with A since Cloud Armor supports regional internal application load balancer: https://cloud.google.com/load-balancing/docs/l7-internal#backend-features https://cloud.google.com/load-balancing/docs/l7-internal/int-https-lb-tf-examples Also the question does not ask for cross region, Cloud Armor should be an easier and safer bet.

Cloud Armor: This service is specifically designed for web application and API protection. It allows you to configure rules based on IP addresses (CIDR ranges), and it includes built-in DDoS protection, including SYN flood protection. This directly addresses the customer's requirements. Here's why the other options are not the best fit: B. VPC Firewall Rules: These are primarily for controlling traffic within your VPC network. While you can restrict traffic based on IP addresses, they don't offer the advanced DDoS protection capabilities of Cloud Armor.

VPC Firewall Rules will allow you to control access based on CIDR ranges, ensuring that only traffic from the specified IP addresses is permitted. Additionally, GCP provides built-in SYN flood protection as part of its infrastructure. This solution aligns with both the internal compliance requirements and the acceptance of the risk regarding SYN flood attacks.

While Cloud Armor offers advanced DDoS protection, it's not the most suitable choice for restricting access based on known good CIDRs in this scenario. Cloud Armor excels at mitigating volumetric DDoS attacks like SYN floods, but its access control mechanisms aren't specifically designed for CIDR-based whitelisting.

For internal web application, it shall be used by VPC Firewall Rules

Can Cloud Armor be used for INTERNAL Applications ? I think - NO, as it is used for External attacks- so Answer should be - B VPC Firewall Rules. Verified from ChatGPT3.5

Answer A if no Load balancer used

Answer is A

https://cloud.google.com/blog/products/identity-security/how-google-cloud-blocked-largest-layer-7-ddos-attack-at-46-million-rps

https://cloud.google.com/files/GCPDDoSprotection-04122016.pdf It doesn't say a word about cloud Armor in the context of DDoS attacks because it is not the main feature of Cloud Armor. In the DDoS mitigation best practices only mentioned Load Balancer, Firewall rules and CDN. So I don't know if it is either Firewall rules or CDN. Most likely Firewall rules since CDN doesn't directly prevent the attack more like distributes it through multiple global endpoints. Little bit tricky question.

It is an internal web application and they need to allow access only for user traffic originated from a specific CIDR. They are fine with just default SYN flood protection. This can very well be handled by a VPC firewall rule.

For CIDR check the firewall is sufficient and SYN flood protection is already given by the regular load balancer in front of the service. Armor gives much more than just SYN flood protection and given the statement "their application will only have SYN flood DDoS protection" this is another vote against Armor.