Google Cloud Professional Cloud Network Engineer — Question 11

Your company offers a popular gaming service. Your instances are deployed with private IP addresses, and external access is granted through a global load balancer. You believe you have identified a potential malicious actor, but aren't certain you have the correct client IP address. You want to identify this actor while minimizing disruption to your legitimate users.
What should you do?

Answer options

• A. Create a Cloud Armor Policy rule that denies traffic and review necessary logs.
• B. Create a Cloud Armor Policy rule that denies traffic, enable preview mode, and review necessary logs.
• C. Create a VPC Firewall rule that denies traffic, enable logging and set enforcement to disabled, and review necessary logs.
• D. Create a VPC Firewall rule that denies traffic, enable logging and set enforcement to enabled, and review necessary logs.

Correct answer: B

Explanation

The correct answer is B because it allows you to deny traffic while using preview mode, which enables you to monitor the impact of the rule without actually enforcing it, thus minimizing disruption to legitimate users. Option A denies traffic without the benefit of preview, while options C and D involve VPC Firewall rules, which are less suited for managing global traffic compared to Cloud Armor, especially in this scenario.