ExamTopics Logo
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud Network Engineer All Questions

View all questions & answers for the Professional Cloud Network Engineer exam
Go to Exam

Exam Professional Cloud Network Engineer topic 1 question 52 discussion

Actual exam question from Google's Professional Cloud Network Engineer
Question #: 52
Topic #: 1
[All Professional Cloud Network Engineer Questions]

Your company offers a popular gaming service. Your instances are deployed with private IP addresses, and external access is granted through a global load balancer. You have recently engaged a traffic-scrubbing service and want to restrict your origin to allow connections only from the traffic-scrubbing service.
What should you do?

  • A. Create a Cloud Armor Security Policy that blocks all traffic except for the traffic-scrubbing service.
  • B. Create a VPC Firewall rule that blocks all traffic except for the traffic-scrubbing service.
  • C. Create a VPC Service Control Perimeter that blocks all traffic except for the traffic-scrubbing service.
  • D. Create IPTables firewall rules that block all traffic except for the traffic-scrubbing service.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by lukedj87 at Nov. 10, 2020, 6:19 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Vidyasagar
Highly Voted 3 years, 8 months ago
A is correct
upvoted 15 times
...
cesar7816
Highly Voted 4 years ago
Ans is A, Cloud Armor is used for LB, there is no way we can use FW rules at LB level
upvoted 9 times
...
saraali
Most Recent 4 months ago
Selected Answer: A
The best option is A: Create a Cloud Armor Security Policy that blocks all traffic except for the traffic-scrubbing service. Explanation: Cloud Armor is specifically designed to protect your Google Cloud resources, including those behind a load balancer, by filtering traffic based on IP, region, or other criteria. In this case, you can define a Cloud Armor security policy that allows traffic only from the traffic-scrubbing service and blocks everything else.
upvoted 1 times
...
desertlotus1211
10 months ago
Answer is B: Cloud Armor is used for DDOS attacks and HTTPs requests, etc. VPC FW rules are more appropriate.
upvoted 1 times
...
xhilmi
12 months ago
Selected Answer: A
By creating a Cloud Armor Security Policy, you can define rules that explicitly allow traffic only from the IP addresses associated with the traffic-scrubbing service. This way, you can effectively block all other traffic at the edge, preventing it from reaching your backend instances. In summary, Option A leverages Cloud Armor's capabilities to enforce security policies at the edge, making it a suitable choice for restricting access to your gaming service's origin only to the traffic-scrubbing service while blocking all other traffic.
upvoted 2 times
...
i_0_i
1 year, 4 months ago
Answer should be A. Refer to this link, https://cloud.google.com/armor/docs/integrating-cloud-armor#https-vpc-firewall-rules 1, GCP Armor security policies act on the edge and block the unpermitted traffic from entering cloud; 2, VPC firewall sits between external load balancer and provides further protection. Note from VPC firewall's point of view, the source ip ranges from LB are not the client's original ip ranges, they're external LB's ip ranges as external LBs are proxies.
upvoted 2 times
...
didek1986
1 year, 4 months ago
Selected Answer: A
cause this is fail fast so earlier block access
upvoted 2 times
...
Hetavi
1 year, 6 months ago
question says that it wants to restrict origin. So origin is external IP in this case. The external origin will hit load balancer . So security to be applied on load balancer with Armor. Hence answer should be A
upvoted 1 times
...
Komal697
1 year, 8 months ago
Selected Answer: B
To restrict your origin to allow connections only from the traffic-scrubbing service, you can create a VPC firewall rule that blocks all traffic except for the traffic-scrubbing service's IP range. This will prevent any external traffic from reaching your instances, except for the traffic coming from the traffic-scrubbing service.
upvoted 1 times
Komal697
1 year, 8 months ago
Option A is also a valid solution, as you can create a Cloud Armor security policy that allows traffic only from the traffic-scrubbing service's IP range. However, Cloud Armor is an additional layer of protection that can be used to augment the firewall rules, but it may not be necessary to use it exclusively in this case. Option C is not suitable for this scenario, as VPC Service Controls are used to restrict access to Google APIs and services, not to limit incoming traffic to a specific IP range. Option D is also not suitable, as IPTables firewall rules are typically used in Linux-based systems, and GCP provides a more comprehensive and integrated firewall service through VPC firewall rules.
upvoted 1 times
desertlotus1211
1 year, 7 months ago
There's no mention in the question about any limiting factors. What is Best Practice?
upvoted 1 times
...
...
...
subhala
1 year, 9 months ago
If traffic scrubbing svc is internal, B is the right answer. If it is external and LB is HTTP, then A, that is Cloud Armor is right answer..
upvoted 2 times
gcpengineer
1 year, 4 months ago
global LB is external
upvoted 1 times
...
...
Melampos
1 year, 10 months ago
Selected Answer: C
Restrict resource access to allowed IP addresses, identities, and trusted client deviceshttps://cloud.google.com/vpc-service-controls
upvoted 1 times
...
AzureDP900
2 years ago
A. Create a Cloud Armor Security Policy that blocks all traffic except for the traffic-scrubbing service.
upvoted 1 times
...
small1_small2
2 years, 3 months ago
Selected Answer: A
A is correct, Cloud Armor whitelisting ensure only certain IP address can access the LB. deny all connection by default
upvoted 2 times
...
vladani
2 years, 10 months ago
why not A? Can someone elaborate?
upvoted 1 times
clooudy
2 years, 10 months ago
answer is A
upvoted 1 times
...
...
kumarp6
2 years, 11 months ago
Answer is : A
upvoted 2 times
...
desertlotus1211
2 years, 11 months ago
If it's a gaming application - more than likely they're using a HTTPS LB
upvoted 1 times
...
PeppaPig
3 years, 3 months ago
Really bad formed question, really ambiguous Is the traffic-scrubbing an external service, or one inside of your VPC? Is the global LB a HTTP LB or TCP/SSL on L4? As already pointed out by others, Cloud Armor only works togherther with global HTTP LB.
upvoted 1 times
Taliesyn
2 years, 7 months ago
https://cloud.google.com/armor/docs/security-policy-overview Google Cloud Armor security policies are available only for backend services behind an external HTTP(S) load balancer, TCP proxy load balancer, or an SSL proxy load balancer. The load balancer can be in Premium Tier or Standard Tier.
upvoted 1 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel