Answer: Create Cloud Armor Security Policy with the source ip ranges.

The correct answer is A: Create Cloud Armor Security Policy with the source IP ranges. Here’s why: The requirement is to allow only traffic from Fastly’s IP address ranges to reach the External HTTP(S) Load Balancer. Firewall rules (options C and D) will not work for this because firewall rules in Google Cloud apply to backend instances, not to the load balancer’s frontend. To filter traffic before it reaches the backend, you must use Google Cloud Armor. Cloud Armor can filter traffic based on either manually specified source IP ranges or Google’s preconfigured IP lists. Preconfigured IP lists are maintained by Google for certain well-known services (like Googlebot or Office 365). However, Fastly is not one of the preconfigured IP lists in Cloud Armor. This means you cannot simply reference a “sourceiplist-fastly” in a rule (which is what option B implies). Instead, you must manually enter Fastly’s published IP ranges into the Cloud Armor security policy. Therefore, the correct approach is to create a Cloud Armor security policy and add a rule that allows only the Fastly IP ranges, and then attach that policy to the load balancer’s backend service. This ensures that only requests from Fastly’s IP ranges are allowed through, and all other traffic is denied. Final answer: A.

Author: LeetQuiz Editorial Team