Google Cloud Professional Cloud Network Engineer — Question 193

Your company uses Compute Engine instances that are exposed to the public internet. Each compute instance has a single network interface with a single public IP address. You need to block any connection attempt that originates from internet clients with IP addresses that belong to the BGP_ASN_TOBLOCK BGP ASN. What should you do?

Answer options

• A. Create a new Cloud Armor backend security policy, and use the --network-src-asns parameter.
• B. Create a new Cloud Armor network edge security policy, and use the --network-src-asns parameter.
• C. Create a new Cloud Armor edge security policy, and use the --network-src-asns parameter.
• D. Create a new firewall policy ingress rule, and use the --network-src-asns parameter.

Correct answer: B

Explanation

The correct answer is B because a Cloud Armor network edge security policy is specifically designed to block or allow traffic based on network sources, including BGP ASNs. Option A refers to a backend security policy, which is not suitable for this use case, while options C and D do not provide the correct type of policy required for managing source ASN traffic.