A customer needs to launch a 3-tier internal web application on Google Cloud Platform (GCP). The customer's internal compliance requirements dictate that end- user access may only be allowed if the traffic seems to originate from a specific known good CIDR. The customer accepts the risk that their application will only have SYN flood DDoS protection. They want to use GCP's native SYN flood protection.
Which product should be used to meet these requirements?
To satisfy the customer's specific requirement that end-user access be allowed only if traffic originates from a specific known good CIDR, VPC Firewall Rules should be used. VPC Firewall Rules are designed to control network traffic to and from instances based on IP ranges, making them suitable for enforcing CIDR-based access restrictions. Additionally, the GCP native SYN flood protection can be handled by the standard load balancer, which is sufficient as per the customer's acceptance of the risk. Cloud Armor, while providing advanced DDoS protection, is not the most appropriate tool for enforcing CIDR-based access control in this internal application scenario.
Answer is A
Cloud Armor is not available for Internal HTTP(S) load balancers. I'd vote for B. https://cloud.google.com/load-balancing/docs/features#security
Internal LB will be used just for the backends, even not mentioned, the end-users will hit first the external LB - that works with CA - so the right answer is A
See here: https://cloud.google.com/files/GCPDDoSprotection-04122016.pdf DDoS Protection by enabling Proxy-based Load Balancing ○ When you enable HTTP(S) Load Balancing or SSL proxy Load Balancing, Google infrastructure mitigates and absorbs many Layer 4 and below attacks, such as SYN floods, IP fragment floods, port exhaustion, etc. ○ If you have HTTP(S) Load Balancing with instances in multiple regions, you are able to disperse your attack across instances around the globe.
You're right, but you want to enable only traffic from specific CIDR, and Cloud Armor is the most efficient option as you can use it with LB (with firewall rules you have to define at least one rule for each VPC)
It is an internal web application and they need to allow access only for user traffic originated from a specific CIDR. They are fine with just default SYN flood protection. This can very well be handled by a VPC firewall rule.
Can Cloud Armor be used for INTERNAL Applications ? I think - NO, as it is used for External attacks- so Answer should be - B VPC Firewall Rules. Verified from ChatGPT3.5
While Cloud Armor offers advanced DDoS protection, it's not the most suitable choice for restricting access based on known good CIDRs in this scenario. Cloud Armor excels at mitigating volumetric DDoS attacks like SYN floods, but its access control mechanisms aren't specifically designed for CIDR-based whitelisting.
For CIDR check the firewall is sufficient and SYN flood protection is already given by the regular load balancer in front of the service. Armor gives much more than just SYN flood protection and given the statement "their application will only have SYN flood DDoS protection" this is another vote against Armor.
the External Load Balancer (LB) does not provide built-in protection against SYN flood DDoS attacks
For internal web application, it shall be used by VPC Firewall Rules
The correct answer is A
A. Cloud Armor
Cloud Armor
Cloud Armor
Answer A
https://cloud.google.com/files/GCPDDoSprotection-04122016.pdf It doesn't say a word about cloud Armor in the context of DDoS attacks because it is not the main feature of Cloud Armor. In the DDoS mitigation best practices only mentioned Load Balancer, Firewall rules and CDN. So I don't know if it is either Firewall rules or CDN. Most likely Firewall rules since CDN doesn't directly prevent the attack more like distributes it through multiple global endpoints. Little bit tricky question.
The question clearly indicates that request should be allowed only if originating from a specific CIDR so the answer is a firewall rules
https://cloud.google.com/blog/products/identity-security/how-google-cloud-blocked-largest-layer-7-ddos-attack-at-46-million-rps
Answer is A
Answer A if no Load balancer used
I mean B if no load balancer used