To protect the application from application-level attacks (e.g., SQL injection, XSS), Google Cloud Armor provides web application firewall (WAF) capabilities. Option C correctly suggests creating a Google Cloud Armor security policy with WAF rules and applying it to the backend service of the global external application load balancer. This ensures traffic is inspected for malicious patterns.

• A (Cloud CDN) focuses on caching and performance, not security.
• B (Firewall deny rules) operate at the network layer (IP/ports) and cannot block application-layer attacks.
• D (VPC Service Controls) restricts data exfiltration but does not protect against application attacks. Thus, only C addresses the requirement effectively.