Google Cloud Professional Cloud Network Engineer — Question 207

Your company uses web application firewall (WAF) capabilities from a third-party cloud WAF provider. This WAF provider proxies all the HTTPS connections from internet clients, applies security policies, and then opens a new HTTPS connection to the public IP address of your global Application Load Balancer in Google Cloud. Your Google Cloud workloads are the backend of this global Application Load Balancer. Currently, Cloud Am1or is not configured. You need to create a Cloud Armor security policy that blocks sessions that originate from internet clients with source IP addresses that belong to the IP_RANGE_BLOCK IP range. The block must be executed by the Cloud Armor security policy; it will not be done by the third-party cloud WAF provider. Whal should you do?

Answer options

• A. 1. Create a new Cloud Armor network edge security policy. In the policy, set the userIpRequestHeaders[] attribute. 2. Add a policy rule that denies traffic that matches inIpRange(origin.user_ip, 'IP_RANGE_BLOCK') statement. 3. Apply the policy to the backend service that includes all your Google Cloud workloads.
• B. 1. Create a new Cloud Armor network edge security policy. In the policy, set the userIpRequestHeaders[] attribute. 2. Add a policy rule that denies traffic that matches the inIpRange(origin.ip, 'IP_RANGE_BLOCK') statement. 3. Apply the policy to the backend service that includes all your Google Cloud workloads.
• C. 1. Create a new Cloud Armor backend security policy. In the policy, set the userIpRequestHeaders[] attribute. 2. Add a policy rule that denies traffic that matches the inIpRange(origin.user_ip, 'IP_RANGE_BLOCK') statement. 3. Apply the policy to the backend service that includes all your Google Cloud workloads.
• D. 1. Create a new Cloud Armor backend security policy. In the policy, set the userIpRequestHeaders[] attribute. 2. Add a policy rule that denies traffic that matches the inIpRange(origin.ip, 'IP_RANGE_BLOCK') statement. 3. Apply the policy to the backend service that includes all your Google Cloud workloads.

Correct answer: C

Explanation

The correct answer is C because it specifies the creation of a Cloud Armor backend security policy, which is necessary for controlling access to the backend service. Additionally, it correctly uses the origin.user_ip field for the inIpRange function to match the source IP addresses, which is essential for blocking the specified IP range. Options A and B incorrectly reference a network edge security policy, while D uses the wrong IP field in the inIpRange function.