An engineering team is launching a web application that will be public on the internet.
The web application is hosted in multiple GCP regions and will be directed to the respective backend based on the URL request.
Your team wants to avoid exposing the application directly on the internet and wants to deny traffic from a specific list of malicious IP addresses Which solution should your team implement to meet these requirements?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
https://cloud.google.com/armor/docs/security-policy-conceptsThe engineering team needs a solution that can provide security and protect the web application from malicious traffic while also providing high availability across multiple regions. Additionally, they want to prevent direct exposure of the web application on the internet and deny traffic from a specific list of malicious IP addresses.
Among the given options, the best solution for the engineering team's requirements is to implement Cloud Armor.
Cloud Armor is a security service provided by Google Cloud Platform (GCP) that helps protect applications and services from Distributed Denial of Service (DDoS) attacks and other threats by providing a central point to define, enforce, and monitor security policies. Cloud Armor allows creating and configuring custom security policies to define what traffic is allowed or blocked based on IP addresses, HTTP headers, and other attributes.
By using Cloud Armor, the engineering team can create a custom security policy to block traffic from the specific list of malicious IP addresses. Cloud Armor supports Google-managed security policies that provide pre-configured rules to block common attacks, such as SQL injection and cross-site scripting (XSS).
Additionally, the team can configure Cloud Armor to allow only traffic from a specific set of allowed IP addresses or block traffic based on HTTP headers or URLs. This provides granular control over what traffic is allowed to access the web application.
To direct traffic to the respective backend based on the URL request, the team can use Network Load Balancing or SSL Proxy Load Balancing, which are also among the provided options.
Network Load Balancing is a regional load balancing service provided by GCP that distributes incoming traffic across multiple instances in a single region. It works at the transport layer (Layer 4) and can route traffic based on IP protocol, IP address, and port number.
SSL Proxy Load Balancing, on the other hand, is a global load balancing service provided by GCP that works at the application layer (Layer 7). It can route traffic based on the URL path and can terminate SSL/TLS connections before forwarding traffic to backend instances.
Both Network Load Balancing and SSL Proxy Load Balancing can be used to direct traffic to the respective backend based on the URL request. However, they do not provide any security features such as blocking traffic from malicious IP addresses.
Finally, NAT Gateway is a service that allows instances without public IP addresses to access the internet while still keeping the instances private. It provides a network address translation (NAT) service that allows private instances to communicate with the internet without exposing their private IP addresses. However, it does not provide any security features to protect against malicious traffic.
Therefore, the best solution for the engineering team's requirements is to implement Cloud Armor to protect the web application from malicious traffic and Network Load Balancing or SSL Proxy Load Balancing to direct traffic to the respective backend based on the URL request.