Exam Professional Cloud Security Engineer topic 1 question 130 discussion

Here's the reasoning: D is correct because according to search result , one of the requirements for using Google Cloud Armor security policies is that "The backend service's load balancing scheme must be EXTERNAL, EXTERNAL_MANAGED, or INTERNAL_MANAGED." The EXTERNAL scheme is specifically mentioned in the answer option. E is correct because Google Cloud Armor is primarily designed to work with HTTP(S) load balancers. This is supported by multiple search results, including which states that Google Cloud Armor security policies protect "Global external Application Load Balancer (HTTP/HTTPS)" among others.

Google Cloud Armor is only supported with the Premium Network Service Tier. The Standard Tier does not support Google Cloud Armor features.

BE B: Google Cloud Armor operates at Layer 7 (application layer) of the OSI model. Its security policies inspect incoming HTTP(S) requests and can match on various L7 attributes like request headers, body content, and URI paths. This allows you to define rules that block attacks like XSS and SQLi based on their specific characteristics. Why not C: The load balancing scheme of the backend service (internal or external) doesn't impact Cloud Armor's operation. Cloud Armor focuses on filtering traffic at the external load balancer level.

Why not B?

To use Google Cloud Armor security policies to prevent common attacks such as cross-site scripting (XSS) and SQL injection (SQLi) from reaching your web application’s backend, you need to meet the following requirements : 1) The load balancer must be a global external Application Load Balancer, a classic Application Load Balancer, a regional external Application Load Balancer, or an external proxy Network Load Balancer . 2) The backend service’s load balancing scheme must be EXTERNAL, or EXTERNAL_MANAGED if you are using either a global external Application Load Balancer or a regional external Application Load Balancer .

"D", "E" As others noted in the comments, "A","D" and "E" all meet the minimum requirements for setting up Cloud Armor. However part of the question is having WAF functionality which is not available for External SSL Proxy LBs (A) (no checkmark under external proxy lb column for WAF row). This which leaves us with D and E only. References: https://cloud.google.com/armor/docs/security-policy-overview#requirements https://cloud.google.com/armor/docs/security-policy-overview#

Now we can manage also network load balancer

DE is the ans

D,E is most appropriate in this case D. The backend service's load balancing scheme must be EXTERNAL. E. The load balancer must be an external HTTP(S) load balancer.

DE. Well technically you can use EXTERNAL_MANAGED scheme too.

D. The backend service's load balancing scheme must be EXTERNAL. E. The load balancer must be an external HTTP(S) load balancer.

https://cloud.google.com/armor/docs/security-policy-overview#requirements says: The backend service's load balancing scheme must be EXTERNAL, or EXTERNAL_MANAGED *** if you are using global external HTTP(S) load balancer ***. Thus D and E fit (A could fit if a suggestion like The backend service's load balancing scheme must ** NOT ** be EXTERNAL

I am not sure if there is some mistake in the question or in the options given. https://cloud.google.com/armor/docs/security-policy-overview#requirements As per the link above, below are the requirements for using Google Cloud Armor security policies: 1. The load balancer must be a global external HTTP(S) load balancer, global external HTTP(S) load balancer (classic), external TCP proxy load balancer, or external SSL proxy load balancer. 2. The backend service's load balancing scheme must be EXTERNAL, or EXTERNAL_MANAGED if you are using a global external HTTP(S) load balancer. 3. The backend service's protocol must be one of HTTP, HTTPS, HTTP/2, TCP, or SSL. The correct answer seems to be A D and E. A. The load balancer must be an external SSL proxy load balancer. (external SSL proxy load balancer is one of the load balancing options listed in the link) D. The backend service's load balancing scheme must be EXTERNAL. (or EXTERNAL_MANAGED) E. The load balancer must be an external HTTP(S) load balancer. (Also one of the options listed)

These are the requirements for using Google Cloud Armor security policies: The load balancer must be an external HTTP(S) load balancer, TCP proxy load balancer, or SSL proxy load balancer. The backend service's load balancing scheme must be EXTERNAL. The backend service's protocol must be one of HTTP, HTTPS, HTTP/2, TCP, or SSL. https://cloud.google.com/armor/docs/security-policy-overview

DE Requirements These are the requirements for using Google Cloud Armor security policies: * The load balancer must be an external HTTP(S) load balancer, TCP proxy load balancer, or SSL proxy load balancer. * The backend service's load balancing scheme must be EXTERNAL. * The backend service's protocol must be one of HTTP, HTTPS, HTTP/2, TCP, or SSL. See https://cloud.google.com/armor/docs/security-policy-overview#requirements

Google Cloud Armor security policies are sets of rules that match on attributes from Layer 3 to Layer 7 to protect externally facing applications or services. Each rule is evaluated with respect to incoming traffic. I choose DE

Ans:D,E https://cloud.google.com/armor/docs/security-policy-overview Relevant extracts: 1. Google Cloud Armor security policies enable you to rate-limit or redirect requests to your HTTP(S) Load Balancing, TCP Proxy Load Balancing, or SSL Proxy Load Balancing ... 2. Google Cloud Armor security policies are sets of rules that match on attributes from Layer 3 to Layer 7 to protect externally facing applications or services... 3. The load balancer can be in Premium Tier or Standard Tier.