Answer-first summary for fast verification
Answer: 1. Create a new Cloud Armor backend security policy. In the policy, set the userIpRequestHeaders[] attribute. 2. Add a policy rule that denies traffic that matches the inIpRange(origin.user_ip, 'IP_RANGE_BLOCK') statement. 3. Apply the policy to the backend service that includes all your Google Cloud workloads.
The correct answer involves creating a Cloud Armor backend security policy because the Application Load Balancer (ALB) is a global HTTP(S) load balancer, which requires backend security policies. Network edge policies are used for other load balancer types. The third-party WAF proxies traffic, so the original client IP is in a request header. Setting `userIpRequestHeaders[]` allows Cloud Armor to read the original IP from the specified headers. The rule must use `origin.user_ip` to evaluate the client's original IP (from headers) instead of `origin.ip`, which would be the WAF's IP. Applying this policy to the backend service ensures traffic is blocked based on the client's IP range.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
Your company utilizes third-party cloud WAF provider services, which proxy all HTTPS connections from internet clients, apply security policies, and then establish new HTTPS connections to your Google Cloud global Application Load Balancer's public IP address. The backend for this load balancer consists of your Google Cloud workloads. Currently, Cloud Armor is not enabled. You need to implement a Cloud Armor security policy that blocks sessions originating from internet clients with source IP addresses within the IP_RANGE_BLOCK range. The blocking must be performed by the Cloud Armor security policy, not the third-party WAF provider. What should you do?
A
B
C
D