
Explanation:
Option B is correct because it directly addresses both requirements using IAP's built-in capabilities. Creating an access level with conditions for internal IP ranges and AppDev groups, then applying it to the IAP policy, is the native IAP approach for combining identity and network-based restrictions. Option A is incorrect as it requires VPN connectivity which is unnecessary with IAP and doesn't leverage IAP's identity features. Option C is suboptimal because configuring firewall rules for IAP access control is less granular and doesn't integrate as seamlessly with IAP's identity-based policies. Option D is incorrect as MFA and NIDS don't specifically address the IP address restriction requirement and add unnecessary complexity. The community discussion shows 100% consensus on B, with comments highlighting that access levels are the proper mechanism for combining identity and network attributes in IAP policies.
Ultimate access to all questions.
No comments yet.
Your organization has a Cloud Run application that requires access control via Cloud Identity-Aware Proxy (IAP) with the following requirements:
• Only users from the AppDev group are permitted to access the application. • Access must be limited to internal network IP addresses.
What should you do?
A
Deploy a VPN gateway and instruct the AppDev group to connect to the company network before accessing the application.
B
Create an access level that includes conditions for internal IP address ranges and AppDev groups. Apply this access level to the application's IAP policy.
C
Configure firewall rules to limit access to IAP based on the AppDev group and source IP addresses.
D
Configure IAP to enforce multi-factor authentication (MFA) for all users and use network intrusion detection systems (NIDS) to block unauthorized access attempts.