Google Cloud Professional Cloud Architect — Question 190

You are designing the network architecture for a public-facing, containerized web application deployed on Cloud Run. All incoming traffic must be inspected by a Cloud Armor web application firewall (WAF) before reaching the application You plan to use an Application Load Balancer, which will have the Cloud Armor policy attached. You must ensure that all public requests pass through the load balancer and any attempt to access the Cloud Run service directly through its default *.run.app URL is blocked. What should you do?

Answer options

• A. Enable Identity-Aware Proxy (IAP) directly on the Cloud Run service to intercept and validate all incoming requests
• B. Create a DNS entry to route traffic to Cloud Armor. Configure Cloud Armor to deny traffic from unknown IP addresses
• C. Set the Cloud Run ingress to Allow internal traffic and Cloud Load Balancing, and use a serverless NEG backend on the load balancer
• D. Configure a VPC firewall rule with a high priority to deny all traffic that does not originate from the load balancer

Correct answer: C

Explanation

The correct answer is C because setting the Cloud Run ingress to allow internal traffic and Cloud Load Balancing ensures that all traffic goes through the load balancer, which has the Cloud Armor policy attached. Option A is incorrect because IAP does not prevent direct access to the Cloud Run URL. Option B is not suitable as it does not ensure that traffic flows through the load balancer. Option D would block all other traffic but does not provide a mechanism for redirecting traffic through the load balancer.