Restricting Access to Origin for Gaming Service with Traffic-Scrubbing
Question
Your company offers a popular gaming service.
Your instances are deployed with private IP addresses, and external access is granted through a global load balancer.
You have recently engaged a traffic-scrubbing service and want to restrict your origin to allow connections only from the traffic-scrubbing service.
What should you do?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.B.
To restrict your origin to allow connections only from the traffic-scrubbing service, you need to implement some form of access control mechanism that can selectively permit or block incoming traffic based on the source IP addresses. Here are the four possible options given as answers:
A. Create a Cloud Armor Security Policy that blocks all traffic except for the traffic-scrubbing service. Cloud Armor is a managed security service that allows you to define and enforce granular access control policies for HTTP(S) load balancers and backend services. To use Cloud Armor in this scenario, you would need to create a security policy that denies all traffic by default and allows traffic only from the IP addresses of the traffic-scrubbing service. This can be done by adding an allow rule with a source IP condition that matches the traffic-scrubbing service's IP addresses.
B. Create a VPC Firewall rule that blocks all traffic except for the traffic-scrubbing service. VPC firewall rules are used to control inbound and outbound traffic for instances in a VPC network. To use VPC firewall rules in this scenario, you would need to create a rule that blocks all incoming traffic by default and allows traffic only from the IP addresses of the traffic-scrubbing service. This can be done by creating a firewall rule with a source IP range that matches the traffic-scrubbing service's IP addresses and a deny action for all other traffic.
C. Create a VPC Service Control Perimeter that blocks all traffic except for the traffic-scrubbing service. VPC Service Controls allows you to create security perimeters around your Google Cloud services and restrict access based on context-aware policies. To use VPC Service Controls in this scenario, you would need to create a perimeter that denies all traffic by default and allows traffic only from the IP addresses of the traffic-scrubbing service. This can be done by creating an access level with a source IP condition that matches the traffic-scrubbing service's IP addresses and associating it with the perimeter.
D. Create IPTables firewall rules that block all traffic except for the traffic-scrubbing service. IPTables is a built-in Linux firewall utility that allows you to create and manage firewall rules for incoming and outgoing traffic. To use IPTables in this scenario, you would need to create a rule that blocks all incoming traffic by default and allows traffic only from the IP addresses of the traffic-scrubbing service. This can be done by adding a rule to the INPUT chain with a source IP condition that matches the traffic-scrubbing service's IP addresses and a DROP action for all other traffic.
Out of these four options, option A is the most appropriate and recommended one for a Google Cloud environment as it uses a managed security service that is specifically designed for this purpose and can be easily integrated with global load balancers. Option B is also a valid option, but it requires more manual configuration and is less scalable than Cloud Armor. Option C is not well-suited for this scenario as it is designed for controlling access to Google Cloud services rather than individual instances. Option D is not recommended as it requires manual configuration and maintenance of firewall rules on each instance, which can be error-prone and time-consuming.
