Exam Professional Cloud Network Engineer topic 1 question 34 discussion

D should be the answer. "Globally distributed users report that their SMTP and IMAP services are slow" --> means it's needed to be global, traffic type is TCP. "end-to-end encryption" +"you do not have access to the SSL certificates" ---> means that you can not use client certificate to configure on LB to do SSL offload. As per the reference below, only TCP proxy Load Balancer. https://cloud.google.com/load-balancing/docs/choosing-load-balancer

I go with D, https://cloud.google.com/load-balancing/docs/choosing-load-balancer SSL offload yes >> SSL proxy SSL offload no >> TCP proxy

No access to SSL then you cannot do SSL offloading, you should do passthrough and let the backend deal with the SSL part

The correct answer is D. The TCP proxy load balancer is ideal for applications like SMTP and IMAP that require end-to-end encryption but where SSL certificates are not accessible. It operates at the transport layer (Layer 4) and provides secure, encrypted traffic forwarding for non-HTTP(S) protocols such as IMAP and SMTP. It ensures that your traffic remains encrypted while reducing latency for globally distributed users. The other load balancers either require access to SSL certificates (SSL Proxy and HTTPS load balancers) or are not suitable for Layer 4 protocols (Network Load Balancer).

TCP Proxy load balancer does not provide the end to end encryption by itself.

Not HTTP => Network LB category Passthrough is not global => Global External Proxy Network LB Since creating a Google-managed certificate should still be possible, question A is correct (Global External Proxy Network LB with SSL).

I've changed my answer to B here's why: Both SSL Proxy and TCP Proxy Load Balancers are designed for situations where you can terminate SSL sessions at the load balancer level, allowing for SSL offloading. However, they are not suitable for scenarios requiring end-to-end encryption without SSL termination at the load balancer, especially when SSL certificates are not available for such termination. Since you have no access to SSL certificate you cannot offload it... Therefore it's the responsibility of the end devices. So you the best answer now is Answer B: Network Load Balancer

Explanation: The TCP proxy load balancer operates at the transport layer (Layer 4) and is designed for TCP-based protocols like SMTP and IMAP. Unlike the HTTPS load balancer, the TCP proxy load balancer does not terminate SSL, making it suitable for scenarios where SSL certificates are not accessible or not required. It allows you to distribute TCP traffic without handling SSL encryption or decryption, making it a good choice when end-to-end encryption is not a strict requirement.

This is D. I know this isn't super clear in the docs. But the best way to identify is as below: 1) If you go to SSL Proxy (https://cloud.google.com/load-balancing/docs/ssl/setting-up-ssl), you have to choose a certificate (There is no option to do away without it) 2) If you select TCP Proxy (https://cloud.google.com/load-balancing/docs/tcp/setting-up-tcp), there is no need to choose certificate

Since end-to-end encryption is required, the SSL Proxy Load Balancer is the appropriate choice as it allows the SSL/TLS traffic to pass through to the backends unchanged, preserving end-to-end encryption. Network Load Balancer and TCP Proxy Load Balancer do not provide end-to-end encryption for the application protocol. HTTPS Load Balancer is not appropriate because you do not have access to the SSL certificates.Therefore, the correct answer is A. SSL proxy load balancer.

A is the correct answer. https://cloud.google.com/load-balancing/docs/ssl#ssl_certificates

D: It specifically states they don't”have access to the SSL certs" not that they don't have them at all. This means they are unable to configure the client SSL certs on the LB itself and SSL offload is not required. Answer points to D for TCP Proxy.

TCP Load Balancer doesn't require a certificate and can route encrypted traffic.

D is right.

I would go with D

Answer is : D

D is sure for me.