Answer-first summary for fast verification
Answer: Create a new Cloud Armor network edge security policy, and use the --network-src-asns parameter.
To block connections from a specific BGP ASN for directly exposed Compute Engine instances, Cloud Armor's network edge security policy is the correct choice. GCP firewall rules (option D) do not support ASN-based filtering. Cloud Armor edge security policies (option C) apply to HTTP(S) load balancers, which are not mentioned here. Backend security policies (option A) are for backend services behind load balancers. Network edge security policies (option B) protect internet-facing resources without requiring a load balancer and support the `--network-src-asns` parameter to filter by ASN.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
Your company has Compute Engine instances with public internet exposure, each having a single network interface with one public IP address. You need to prevent connection attempts from internet clients whose IP addresses belong to the BGP_ASN_TOBLOCK BGP ASN. What is the recommended solution?
A
Create a new Cloud Armor backend security policy, and use the --network-src-asns parameter.
B
Create a new Cloud Armor network edge security policy, and use the --network-src-asns parameter.
C
Create a new Cloud Armor edge security policy, and use the --network-src-asns parameter.
D
Create a new firewall policy ingress rule, and use the --network-src-asns parameter.
No comments yet.