Learn the best way to deny-list a known range of attacker IP addresses from accessing your website that is exposed to the internet through a Google Cloud Application Load Balancer. Use Cloud Armor policies to protect your web application.
Table of Contents
Question
There is a threat actor that is targeting organizations like yours. Attacks are always initiated from a known IP address range. You want to deny-list those IPs for your website, which is exposed to the internet through an Application Load Balancer. What should you do?
A. Create a Cloud Armor policy with a deny-rule for the known IP address range. Attach the policy to the backend of the Application Load Balancer.
B. Activate Identity-Aware Proxy for the backend of the Application Load Balancer. Create a firewall rule that only allows traffic from the proxy to the application.
C. Create a log sink with a filter containing the known IP address range. Trigger an alert that detects when the Application Load Balancer is accessed from those IPs.
D. Create a Cloud Firewall policy with a deny-rule for the known IP address range. Associate the firewall policy to the Virtual Private Cloud with the application backend.
Answer
A. Create a Cloud Armor policy with a deny-rule for the known IP address range. Attach the policy to the backend of the Application Load Balancer.
Explanation
Here’s why this is the best approach:
- Cloud Armor provides DDoS defense and IP allow/deny-listing capabilities for websites exposed through Google Cloud HTTP(S) load balancers, including the Application Load Balancer.
- By creating a Cloud Armor security policy with a deny-rule for the known range of attacker IP addresses, you can block those IPs from even reaching your web application backend.
- The Cloud Armor policy is attached to the backend of the Application Load Balancer, filtering traffic before it gets routed to your web servers.
- This is the simplest and most effective way to block the threat actor at the earliest point, preventing their requests from consuming backend resources.
The other options are not ideal for this use case:
- Identity-Aware Proxy is used for authenticating and authorizing users, not blocking IP addresses.
- Log sinks and alerts can help you monitor when the Application Load Balancer is accessed from the attacker IPs, but don’t actually block the traffic.
- Associating a Cloud Firewall policy to the VPC with the application backend would block the IPs at the network level, but this happens after the traffic has already passed through the load balancer. Cloud Armor deny-listing is more efficient.
So in summary, configuring a Cloud Armor policy to deny-list the known attacker IPs and attaching it to your Application Load Balancer backend is the recommended way to proactively protect your externally-facing web application on Google Cloud Platform.
Google Professional Cloud Security Engineer certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Google Professional Cloud Security Engineer exam and earn Google Professional Cloud Security Engineer certification.