Professional Cloud Network Engineer Exam

Exam Professional Cloud Network Engineer All QuestionsBrowse all questions from this exam

Question 54

Your company has just launched a new critical revenue-generating web application. You deployed the application for scalability using managed instance groups, autoscaling, and a network load balancer as frontend. One day, you notice severe bursty traffic that the caused autoscaling to reach the maximum number of instances, and users of your application cannot complete transactions. After an investigation, you think it as a DDOS attack. You want to quickly restore user access to your application and allow successful transactions while minimizing cost.

Which two steps should you take? (Choose two.)

Use Cloud Armor to blacklist the attacker's IP addresses.

Increase the maximum autoscaling backend to accommodate the severe bursty traffic.

Create a global HTTP(s) load balancer and move your application backend to this load balancer.

Shut down the entire application in GCP for a few hours. The attack will stop when the application is offline.

SSH into the backend compute engine instances, and view the auth logs and syslogs to further understand the nature of the attack.

Correct Answer: A, C

To quickly restore user access to your application and allow successful transactions while minimizing cost, the recommended steps are to use Cloud Armor to blacklist the attacker's IP addresses and to create a global HTTP(s) load balancer and move your application backend to this load balancer. Cloud Armor is specifically designed to defend against DDoS attacks by blocking unwanted traffic, which helps mitigate the immediate impact on your application. Additionally, moving to a global HTTP(s) load balancer allows you to leverage Cloud Armor, which is not supported with a network load balancer, thus providing comprehensive protection and preventing further disruptions.

Discussion

Alex_74Options: AC

A & C Cloud Armor is the solution to prevent and mitigate attack (DDOS SQL injection and so on), it's a revenue generating so have to be alive and protected. No Cloud Armor is not a firewall. Using the CA language you have tons of prebuild rules to evaluate and block the malicious traffic in automatic way. You can put the rule blocking a specific traffic but it's not there the value (you have the firewall for that). Than you need C cause Cloud Armor require an HTTP(s) load balancer (that can be used cause it's a web application)

Windy_Welly88

I'd go A & C. These days you can get Cloud Armor for trial, and this product will mitigate current AND sustained DDOS attacks. Would you REALLY autoscale for a massive DDOS attack, do you think Google will let you do this for free? You wont need to spend time looking at logs and traffic as it will tell you straight away who the actors are.. And finally, since this is a critical revenue-earning application any downtime would be a significant cost. Only way to ensure uptime would be to use Cloud Armor.

AzureDP900

A, C make sense

walkwolf3

This would be a long term solution if DDOS is confirmed. The quickest solution is to recover the service, which is BE.

Hybrid_Cloud_boyOptions: BE

I think B,E are actually correct. A and C would increase cost to global LB, change app architecture, and could potential block legitimate traffic since you “think” it is a DDoS, but do i not know. I do not think google would recommend blocking traffic unless you KNOW. So a temp increase in auto scale, with further investigation is the best course of action. It may lead to some short-term cost increase, but ultimately less cost increase than moving to global LB premium tier with cloudarmor.

GeorgS

But E just says log in with SSH and look, to get get a better view. So with B and E you won't block anything, you will just increase your serverpool

CloudSISG2023Options: BE

Cloud Armor can only be integrated with HTTP(S) load balancer, it's not supported with NLB. Hence, A is not correct. I'd go with option B & E.

gonlaferOptions: AB

The objective is to quickly restore user access. So A & B. Later you can move to an HTTP LB which makes sense also.

ChavozOptions: AC

AC is the correct

didek1986Options: AB

C is wrony cause changes architecture

study_aws1Options: AB

A & B - Option C) of HTTPS Load balancer is not a mandatory requirement. Google Cloud Armor also provides advanced network DDoS protection for external passthrough Network Load Balancers, protocol forwarding, and VMs with public IP addresses. https://cloud.google.com/armor/docs/security-policy-overview Standard network DDoS protection: basic always-on protection for network load balancers, protocol forwarding, or VMs with public IP addresses. This is covered under Google Cloud Armor Standard and does not require any additional subscriptions. Advanced network DDoS protection: additional protections for Managed Protection Plus subscribers who use network load balancers, protocol forwarding, or VMs with public IP addresses. https://cloud.google.com/armor/docs/advanced-network-ddos

somnathmaddiOptions: BE

BE Only

nkastanasOptions: AC

cant be B, you have to minimize the cost

nkastanasOptions: AC

B. Increase the maximum autoscaling backend to accommodate the severe bursty traffic: This approach might provide temporary relief but does not address the root cause (the DDoS attack). It could also significantly increase costs without solving the underlying issue.

hamish88Options: AC

A and C are the correct two steps we should take. These steps complete the purpose. The question is not asking for two separate approaches.

AdjqwertOptions: AC

There is some amount of Cloud Armor integration supported with Network Passthrough Load Balancers: There is some amount of integration supported for Cloud Armor with Network Load Balancers: https://cloud.google.com/armor/docs/advanced-network-ddos

PhuocTOptions: AC

AC is the best answer. you can only use Cloud Armor with HTTP LB, not network LB.

BenMSOptions: AC

This is the textbook scenario for Cloud Armor + GCLB, so given that this is a Google exam, it seems pretty obvious to select AC. It's actually really simple to switch the BE from one LB to another and would not add huge cost.

xhilmiOptions: AB

A. Use Cloud Armor to blacklist the attacker's IP addresses. Cloud Armor is a security service on Google Cloud that allows you to defend your applications and services from Distributed Denial of Service (DDoS) attacks. By configuring blacklisting rules in Cloud Armor, you can block traffic from specific IP addresses or ranges associated with the attack, helping to mitigate the impact on your application. B. Increase the maximum autoscaling backend to accommodate the severe bursty traffic. By increasing the maximum number of instances in your autoscaling backend, you allow your infrastructure to dynamically scale up to handle the increased traffic during the DDoS attack. This helps ensure that your application can continue to serve legitimate user requests even under heavy load.

sidharthwaderOptions: AC

B is not a good solution if you increase the scaling it will just keep increasing during a DDOS attacker will you more of your resources and you will pay higher price for malicious attack

DelonBH

DDOS Attack is not confirmed.. "you think".

HetaviOptions: AC

auto scaling is already taken care as mentioned in question. So correct answer is to use Armor and https global load balancer.