Google Cloud Professional Cloud Developer — Question 297

You are developing a web application that will be deployed to production on Cloud Run. The application consists of multiple microservices, some of which will be publicly accessible and others that will only be accessible after authentication by Google identities. You need to ensure that only authenticated users can access the restricted services, while allowing unrestricted access to the public services of the application. You want to use the most secure approach while minimizing management overhead and complexity. How should you configure access?

Answer options

• A. Enable Identity-Aware Proxy (IAP) for all microservices. Develop a new microservice that checks the authentication requirements for each application and controls access to the respective services.
• B. Enable Identity-Aware Proxy (IAP) for all microservices. Manage access control lists (ACLs) for the restricted services, and configure allAuthenticatedUsers access to the public services.
• C. Use Cloud Endpoints with Firebase Authentication for all microservices. Configure Firebase rules to manage access control lists (ACLs) for each service, allowing access to the public services.
• D. Configure separate Cloud Run services for the public and restricted microservices. Enable Identity-Aware Proxy (IAP) only for the restricted services, and configure the Cloud Run ingress settings to ‘Internal and Cloud Load Balancing’.

Correct answer: D

Explanation

The correct answer is D because it effectively separates the public and restricted services, applying Identity-Aware Proxy (IAP) only to the restricted ones, which enhances security while keeping public access easy. Options A and B are more complex and involve unnecessary overhead by managing access controls across all services. Option C introduces Firebase Authentication, which adds complexity and is not the most secure option for this scenario.