Answer-first summary for fast verification
Answer: Create a Google Cloud Armor policy, and apply it to a backend service that uses an internet network endpoint group (NEG) backend.
The question requires configuring a policy to filter malicious traffic (e.g., XSS) and IP addresses at the edge of the VPC. Google Cloud Armor is designed for this purpose, offering Layer 7 security policies for HTTP(S) load balancers. Since the backend resources are on-premises, the load balancer must use an **internet Network Endpoint Group (NEG)** to route traffic externally. Cloud Armor policies are applied directly to backend services associated with the load balancer. Option C correctly uses Cloud Armor with an internet NEG backend, enabling security policies to filter traffic before it reaches on-premises resources. Other options (A, B, D) involve unmanaged instance groups, hierarchical/VPC firewalls, which either target the wrong backend type or lack Layer 7 filtering capabilities.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
You are migrating a three-tier application from on-premises to Google Cloud. The first step involves creating a new VPC with an external HTTP(S) load balancer to forward traffic to on-premises presentation-tier resources. To prevent malicious traffic from entering your VPC and consuming edge resources, you need to implement a policy that filters IP addresses and mitigates cross-site scripting (XSS) attacks. What should you do?
A
Create a Google Cloud Armor policy, and apply it to a backend service that uses an unmanaged instance group backend.
B
Create a hierarchical firewall ruleset, and apply it to the VPC's parent organization resource node.
C
Create a Google Cloud Armor policy, and apply it to a backend service that uses an internet network endpoint group (NEG) backend.
D
Create a VPC firewall ruleset, and apply it to all instances in unmanaged instance groups.
No comments yet.