Exam Professional Cloud Network Engineer topic 1 question 54 discussion

A & C Cloud Armor is the solution to prevent and mitigate attack (DDOS SQL injection and so on), it's a revenue generating so have to be alive and protected. No Cloud Armor is not a firewall. Using the CA language you have tons of prebuild rules to evaluate and block the malicious traffic in automatic way. You can put the rule blocking a specific traffic but it's not there the value (you have the firewall for that). Than you need C cause Cloud Armor require an HTTP(s) load balancer (that can be used cause it's a web application)

I think B,E are actually correct. A and C would increase cost to global LB, change app architecture, and could potential block legitimate traffic since you “think” it is a DDoS, but do i not know. I do not think google would recommend blocking traffic unless you KNOW. So a temp increase in auto scale, with further investigation is the best course of action. It may lead to some short-term cost increase, but ultimately less cost increase than moving to global LB premium tier with cloudarmor.

C. Create a global HTTP(s) load balancer and move your application backend to this load balancer: This step is crucial because Application Load Balancers (HTTP(S)) are designed for web traffic (Layer 7) and integrate fully with Google Cloud Armor. The existing Network Load Balancer (typically Layer 4 passthrough) has limited integration capabilities for application-level attack mitigation policies like IP blacklisting provided by standard Cloud Armor tiers. Migrating to an Application Load Balancer provides the necessary foundation for effective DDoS protection. A. Use Cloud Armor to blacklist the attacker's IP addresses: Once the application is behind a compatible load balancer (like the HTTP(S) Load Balancer from step C)

Why Not the Other Options? ❌ B. Increase the maximum autoscaling backend Scaling up indefinitely does not stop the attack, and it increases costs dramatically. Without blocking the malicious traffic, your instances will continue getting overwhelmed. ❌ D. Shut down the entire application This is not a viable solution—taking down your application means legitimate users also lose access. The attacker could simply restart the attack when you go back online. ❌ E. SSH into backend instances to analyze logs Too slow for immediate mitigation. While log analysis is useful after the attack, it doesn’t help quickly restore service for real users.

A and C are correct

Best Choice: A & C is the better option to quickly restore user access and allow successful transactions while minimizing cost. Cloud Armor filters malicious traffic right away, while the Global HTTP(S) Load Balancer provides a more robust and scalable solution for long-term protection and handling of legitimate traffic.

A&C Unlike the Network Load Balancer, an HTTP(S) Load Balancer integrates with Cloud Armor and provides additional protection mechanisms such as rate limiting and advanced filtering.

Network load balancer does not support Cloud Armor

Cloud Armor cannot be used with Network Load balancer, it operates at layer 7.I go with B and C and it require to restore Not to remediate.

cant be B, you have to minimize the cost

B. Increase the maximum autoscaling backend to accommodate the severe bursty traffic: This approach might provide temporary relief but does not address the root cause (the DDoS attack). It could also significantly increase costs without solving the underlying issue.

A and C are the correct two steps we should take. These steps complete the purpose. The question is not asking for two separate approaches.

There is some amount of Cloud Armor integration supported with Network Passthrough Load Balancers: There is some amount of integration supported for Cloud Armor with Network Load Balancers: https://cloud.google.com/armor/docs/advanced-network-ddos

The objective is to quickly restore user access. So A & B. Later you can move to an HTTP LB which makes sense also.

AC is the best answer. you can only use Cloud Armor with HTTP LB, not network LB.

AC is the correct

This is the textbook scenario for Cloud Armor + GCLB, so given that this is a Google exam, it seems pretty obvious to select AC. It's actually really simple to switch the BE from one LB to another and would not add huge cost.