An engineering team is deploying a public-facing web application hosted across multiple Google Cloud regions. Traffic is routed to the appropriate regional backend based on the requested URL. The team needs to prevent the application from being directly exposed to the internet and block traffic from a known list of malicious IP addresses.

Which solution should be implemented to meet these requirements?