Answer-first summary for fast verification
Answer: Create a Cloud Armor policy with a deny-rule for the known IP address range. Attach the policy to the backend of the Application Load Balancer.
Option A is the correct answer because Cloud Armor is specifically designed for web application protection at the load balancer level and provides IP-based deny rules that can block known malicious IP ranges before they reach the application backend. Attaching the Cloud Armor policy to the Application Load Balancer backend ensures the deny rule is enforced for all incoming web traffic. Option B (IAP) is for identity-based access control, not IP blocking. Option C (log sink with alerts) only provides detection and alerting, not actual blocking. Option D (Cloud Firewall) operates at the VPC network level, which is less efficient for web traffic filtering compared to Cloud Armor's layer 7 capabilities at the load balancer. The community discussion strongly supports A with 100% consensus and upvoted explanations highlighting Cloud Armor's purpose-built functionality for this scenario.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
You need to block a known malicious IP range from accessing your website served by a Google Cloud Application Load Balancer. What is the correct method to deny-list these IP addresses?
A
Create a Cloud Armor policy with a deny-rule for the known IP address range. Attach the policy to the backend of the Application Load Balancer.
B
Activate Identity-Aware Proxy for the backend of the Application Load Balancer. Create a firewall rule that only allows traffic from the proxy to the application.
C
Create a log sink with a filter containing the known IP address range. Trigger an alert that detects when the Application Load Balancer is accessed from those IPs.
D
Create a Cloud Firewall policy with a deny-rule for the known IP address range. Associate the firewall policy to the Virtual Private Cloud with the application backend.