Learn the most secure approach to configure access control for a web application with public and restricted microservices deployed on Cloud Run, while minimizing complexity.
Table of Contents
Question
You are developing a web application that will be deployed to production on Cloud Run. The application consists of multiple microservices, some of which will be publicly accessible and others that will only be accessible after authentication by Google identities. You need to ensure that only authenticated users can access the restricted services, while allowing unrestricted access to the public services of the application. You want to use the most secure approach while minimizing management overhead and complexity. How should you configure access?
A. Enable Identity-Aware Proxy (IAP) for all microservices. Develop a new microservice that checks the authentication requirements for each application and controls access to the respective services.
B. Enable Identity-Aware Proxy (IAP) for all microservices. Manage access control lists (ACLs) for the restricted services, and configure allAuthenticatedUsers access to the public services.
C. Use Cloud Endpoints with Firebase Authentication for all microservices. Configure Firebase rules to manage access control lists (ACLs) for each service, allowing access to the public services.
D. Configure separate Cloud Run services for the public and restricted microservices. Enable Identity-Aware Proxy (IAP) only for the restricted services, and configure the Cloud Run ingress settings to ‘Internal and Cloud Load Balancing’.
Answer
D. Configure separate Cloud Run services for the public and restricted microservices. Enable Identity-Aware Proxy (IAP) only for the restricted services, and configure the Cloud Run ingress settings to ‘Internal and Cloud Load Balancing’.
Explanation
The most secure and efficient approach to control access to your web application’s microservices on Cloud Run is to:
- Deploy the public and restricted microservices as separate Cloud Run services. This provides a clear separation between the services based on their access requirements.
- Enable Identity-Aware Proxy (IAP) only for the restricted services that require authentication. IAP uses Google identities to authenticate users and control access to the services, ensuring that only authorized users can access the restricted microservices.
- Configure the Cloud Run ingress settings for the restricted services to ‘Internal and Cloud Load Balancing’. This setting allows the restricted services to be accessed only through the internal load balancer, providing an additional layer of security.
- Leave the public microservices accessible without IAP, allowing unrestricted access to these services.
By deploying separate Cloud Run services for public and restricted microservices and selectively enabling IAP, you can ensure that only authenticated users can access the restricted services while allowing unrestricted access to the public services. This approach provides a secure and manageable solution without introducing unnecessary complexity.
Enabling IAP for all microservices (options A and B) would unnecessarily restrict access to the public services and increase management overhead. Using Cloud Endpoints with Firebase Authentication (option C) would add complexity to the setup and may not provide the same level of security as IAP.
Therefore, option D offers the most secure and efficient approach to control access to your web application’s microservices on Cloud Run.
Google Professional Cloud Developer certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Google Professional Cloud Developer exam and earn Google Professional Cloud Developer certification.