Google Cloud Professional Cloud Developer — Question 333
You are designing a microservices application on GKE that will expose a public API to users. Users will interact with the application by using OAuth 2.0, and illegitimate requests should receive a 403 response code. You need the API to be resilient against distributed denial of service (DDoS) attacks and critical security risks such as SQL injection (SQL) and cross-site scripting (XSS).
You want to design the application's architecture while following Google-recommended practices. What should you do?
Answer options
- A. Install Service Mesh in your GKE cluster. Configure Service Mesh user authentication to integrate the service hosted on GKE by using an OpenID Connect-compliant identity provider. Expose the application externally by using an Istio Ingress Gateway. Use VPC firewall rules to restrict Ingress traffic to the Ingress gateway.
- B. Run an Apache HTTP server on Cloud Run to expose a service with a public IP address. Configure the Apache HTTP server as a reverse proxy to only forward valid requests to the API hosted on GKE.
- C. Use an external Application Load Balancer with Cloud Armor. Integrate Cloud Armor with reCAPTCHA Enterprise. Configure the load balancer to forward traffic to the application hosted on GKE.
- D. Use an external Application Load Balancer with Cloud Armor, and configure the load balancer to forward requests to Apigee to check the validity of the API requests. Configure GKE as the application's backend.
Correct answer: D
Explanation
Option D is correct because it utilizes an external Application Load Balancer with Cloud Armor, which provides robust security features against DDoS attacks and integrates with Apigee for API request validation. Option A, while using Service Mesh, does not specifically address APIs and DDoS protection as effectively. Option B's approach with Apache does not provide the same level of security and scalability. Option C, although it uses Cloud Armor, lacks the API validation step that Apigee offers, making it less comprehensive in securing the API.