ExamTopics Logo
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud Architect All Questions

View all questions & answers for the Professional Cloud Architect exam
Go to Exam

Exam Professional Cloud Architect topic 3 question 2 discussion

Actual exam question from Google's Professional Cloud Architect
Question #: 2
Topic #: 3
[All Professional Cloud Architect Questions]

For this question, refer to the Helicopter Racing League (HRL) case study. Recently HRL started a new regional racing league in Cape Town, South Africa. In an effort to give customers in Cape Town a better user experience, HRL has partnered with the Content Delivery Network provider, Fastly. HRL needs to allow traffic coming from all of the Fastly IP address ranges into their Virtual Private Cloud network (VPC network). You are a member of the HRL security team and you need to configure the update that will allow only the Fastly IP address ranges through the External HTTP(S) load balancer. Which command should you use?
A.

B.

C.

D.

Show Suggested Answer Hide Answer
Suggested Answer: A
Reference:
https://cloud.google.com/load-balancing/docs/https
by StelSen at Dec. 28, 2021, 8:14 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
technodev
Highly Voted 3 years, 2 months ago
Got this question in my exam, answered D
upvoted 45 times
...
elrizos
Highly Voted 3 years ago
Is D: In the GCP doc can see the same example https://cloud.google.com/armor/docs/configure-security-policies#gcloud_11 "gcloud compute security-policies rules create 1000 \ --security-policy my-policy \ --expression "evaluatePreconfiguredExpr('sourceiplist-fastly')" \ --action "allow" "
upvoted 32 times
6b13108
1 year, 4 months ago
I can not see the same example in that document and I saw "evaluatePreconfiguredExpr" is for preconfigure WAF rules https://cloud.google.com/armor/docs/rule-tuning
upvoted 1 times
...
...
neokyle
Most Recent 1 month, 3 weeks ago
Suggested Answer A is incorrect, answer is D. AWS firewalls can be used to restrict both internal and external traffic. GCP firewall rules are werid where VPC level firewall rules are for restricting internal traffic & cloud armor which gets attached to LB's is used to restrict external traffic. So due to GCP oddity: 'gcloud compute firewall' refers to internal VPC firewall config which isn't relevant, while 'gcloud compute security-policies' refers to Cloud Armor, which gets attached to LBs and is used to configure external firewall rules, which is relevant. Once you understand that D as the answer starts to make intuitive sense.
upvoted 2 times
neokyle
1 month, 3 weeks ago
Actually I'm unsure between A and D, my answer mainly explains why B & C can be eliminated.
upvoted 1 times
...
...
dfizban
6 months ago
It's D
upvoted 1 times
...
Begum
6 months, 3 weeks ago
The correct answer is D. The syntax for command must include --Security-policy, --expression or --src-in-ranges ( for option A IP range is wild card) hence correct answer is D.
upvoted 1 times
...
JohnJamesB1212
6 months, 3 weeks ago
The most appropriate command for allowing traffic from all Fastly IP address ranges into the HRL Virtual Private Cloud (VPC) network through the External HTTP(S) load balancer would be: A. Create Cloud Armor Security Policy with the source IP ranges. Explanation: Cloud Armor is the tool designed specifically for protecting HTTP(S) load balancers and controlling access based on IP address ranges. It allows you to create security policies to allow or deny traffic from specific IP ranges, which is what you need to do for Fastly IPs. This approach is specifically designed for managing traffic to HTTP(S) load balancers, providing an additional layer of security that fits this scenario perfectly.
upvoted 2 times
JohnJamesB1212
6 months, 3 weeks ago
Why Not the Other Options? B. Create Cloud Armor Security Policy with the source IP list: Cloud Armor requires IP ranges, not a simple list of IPs. C. Create firewall rule to allow source IP list: Firewall rules operate at the VPC network level, and while they control network access, they are not specifically tied to HTTP(S) load balancers and would not efficiently apply to this context. D. Create firewall rule to allow source IP range: Firewall rules can allow traffic from IP ranges, but again, they are applied at the VPC level. For HTTP(S) load balancer traffic, Cloud Armor is the correct tool to manage IP range access control.
upvoted 2 times
...
...
researched_answer_boi
11 months, 3 weeks ago
(D), or "Create Cloud Armor Security Policy with the source ip list" (considering @hashi's comment) looks correct. https://codelabs.developers.google.com/codelabs/cloud-cloudarmor#0
upvoted 3 times
...
dija123
12 months ago
Totally agree with D
upvoted 1 times
...
hashi
1 year, 1 month ago
I got this question in March 2024. As someone pointed out answers are reworked. Instead of asking for the command, the choices were given in wordings - something like the below. (Not the exact words) A. Create Cloud Armor Security Policy with the source ip ranges. B. Create Cloud Armor Security Policy with the source ip list C. Create firewall rule to allow source ip list D. Create firewall rule to allow source ip range Based on the answers for this question I went with "Create Cloud Armor Security Policy with the source ip list"
upvoted 15 times
exam4c3
2 months, 3 weeks ago
Fw rules are managed by VPC, not by cloud armor
upvoted 1 times
...
Chandankm
9 months, 4 weeks ago
what's the difference between options A & B, i.e. source IP "ranges" and "list" ? what's the reason for choosing one over another ? I've been through the documentation and these terms are used intermittently.
upvoted 1 times
Chandankm
9 months, 3 weeks ago
If the question really makes a distinction between ranges and lists as specified above, I'm quite disappointed with Google. It looks like they're more interested in throwing the examinee off-balance by confusing them with useless jargon rather than evaluating the actual skills.
upvoted 1 times
...
...
ccpmad
10 months, 1 week ago
Thank you for the info, but for me, in your question, I would choose D. Firewall rule. Firewalls are designed to efficiently manage network traffic. Allowing IP ranges simplifies administration and enhances performance by handling access from multiple IP addresses effectively.
upvoted 2 times
...
...
VidhyaBupesh
1 year, 1 month ago
D is right
upvoted 1 times
...
d0094d6
1 year, 2 months ago
should be D
upvoted 1 times
...
Pime13
1 year, 2 months ago
D is the solution
upvoted 1 times
...
didek1986
1 year, 3 months ago
D d d d
upvoted 1 times
...
gun123
1 year, 3 months ago
D is the ans
upvoted 1 times
...
MahAli
1 year, 4 months ago
I guess D
upvoted 1 times
...
odacir
1 year, 5 months ago
D -> https://cloud.google.com/armor/docs/configure-security-policies#create-rules
upvoted 2 times
...
didek1986
1 year, 6 months ago
D for sure
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago