Your web application is deployed to the corporate intranet. You need to migrate the web application to Google Cloud. The web application must be available only to company employees and accessible to employees as they travel. You need to ensure the security and accessibility of the web application while minimizing application changes. What should you do?
To ensure the web application's security and accessibility with minimal changes, configuring Identity-Aware Proxy (IAP) to allow employees to access the application through its public IP address is the most suitable solution. IAP provides a centralized, scalable authorization layer that uses existing corporate identity providers to authenticate users. It allows employees to securely access the application from any location, which is essential for employees who travel. IAP manages access control at the application level, ensuring that only authorized users can reach the application, thus making it both secure and accessible without demanding significant changes to the web application.
Agree with Option B
why public IP yet it must only be accessible to the employees only? B is wrong
it's Google public IP, https://cloud.google.com/iap/docs/managing-access
If its B, it must not use public IP, That makes B wrong. the answer is C. its already in coorporate intranet, why use public IP?
How the users are going to authenticate to Compute Engine?
B is correct.
B, while employees are traveling, they don't have access to the intranet, so they need to use the public IP. IAP secures the public endpoint.
C seems right
I tend to C. A is bad because sending the credentials in each HTTP(s) request is bad and inefficient. B requires each user to have a Google Workspace account, which is not a given for the corporate intranet. On top of that there is no mention that the application checks for the token in the header, so a public IP would still expose the application. C would work, but its ineffective. D is useless if the application is still exposed through the public IP. None of these solutions are great, but C is the least bad of the bunch.
You couldn't opt anyone ? I suggest you to skip this in exam :)
i'd choose b: https://cloud.google.com/blog/topics/developers-practitioners/control-access-your-web-sites-identity-aware-proxy
This approach allows you to use Google Cloud infrastructure to authenticate users against the corporate intranet before providing access to the web application, without making major changes to the web application. By configuring a Compute Engine instance as a proxy and changing the web application's DNS to point to this proxy, you can ensure that only employees who have been authenticated against the corporate intranet are able to access the web application. This approach also allows the employees to access the web application while they are traveling, as long as they have internet access.
Identity-Aware Proxy (IAP) is a feature of Google Cloud Platform that allows you to secure access to resources by using identity and context-based access control. IAP allows you to restrict access to a resource (such as a web application) to only authenticated and authorized users or service accounts. However, in this scenario, since the web application is hosted on the corporate intranet, it will not have a public IP address and it will not be accessible from the internet. And It's not possible to use IAP to restrict access to an intranet-hosted application by its IP address.
Additionally, IAP is designed to work with resources that are hosted on Google Cloud, and it may not be possible to configure it to work with an intranet-hosted application without making significant changes to the application and the intranet infrastructure. That's why the best solution would be to use a VPN connection or a reverse proxy to allow employees to access the application as if they were on the intranet while they are traveling or to secure the access to the intranet-hosted web application from the internet.
B is the answer. https://cloud.google.com/iap/docs/concepts-overview IAP lets you establish a central authorization layer for applications accessed by HTTPS, so you can use an application-level access control model instead of relying on network-level firewalls. IAP policies scale across your organization. You can define access policies centrally and apply them to all of your applications and resources. When you assign a dedicated team to create and enforce policies, you protect your project from incorrect policy definition or implementation in any application.
I would completely agree with BackendBoi's comment. I would have picked option B only if it would have not been said to access through public IP. Out of all the options, option C seems the best pick. I had read somewhere that the proxy compute engine is used for securing access to main compute engine instance hosting application.
The best solution here is B. Configure Identity-Aware Proxy to allow employees to access the application through its public IP address. Here's why: Minimal Application Changes: Identity-Aware Proxy (IAP) is designed to handle authentication and authorization without requiring significant changes to your web application. It acts as a secure gateway, intercepting requests and verifying user identities before forwarding them to your application. Secure Access: IAP provides strong security by integrating with your existing corporate identity provider (e.g., Google Workspace, Active Directory). It ensures that only authorized employees with valid credentials can access the application.
Accessibility for Traveling Employees: IAP allows employees to access the application from anywhere with an internet connection, as long as they have the necessary credentials. This eliminates the need for VPNs or other complex network configurations. Centralized Management: IAP simplifies security management by providing a centralized platform for controlling access to your application. You can easily add or remove users, define access policies, and monitor activity. Why other options are less ideal: A. Authentication in the Application: This approach requires significant changes to your web application to handle authentication logic, which can be complex and error-prone. It also doesn't provide the same level of security and centralized management as IAP.
C. Proxy Compute Engine Instance: While this approach could work, it requires setting up and managing a separate Compute Engine instance, which adds complexity and overhead. It also doesn't leverage the built-in security features of IAP. D. HTTP Redirect: This approach would expose your web application's public IP address, potentially compromising security. It also doesn't provide the same level of authentication and authorization as IAP. In summary: Identity-Aware Proxy is the most efficient and secure way to migrate your web application to Google Cloud while ensuring accessibility for traveling employees and minimizing application changes. It provides a robust and centralized solution for authentication, authorization, and secure access control.
B is the answer. IAP is the solution in these kind of scenarios. Don't be alerted by mention of public IP. It's completely fine to deploy an internal app on public IP as long as u have proper authentication. Since the question mentions "accessible to employees as they travel", this is how many companies deploy such internal tools.
I will go with B.