GCP Professional Cloud Architect Practice Question
Your company is moving an internal reporting portal to Cloud Run (fully managed). The service will be published on a custom domain through an external HTTP(S) load balancer. Regulators require that only employees who 1) authenticate with their Google Workspace accounts, 2) use company-managed laptops validated by Endpoint Verification, and 3) originate traffic from EU member-state IP ranges can reach the portal. The security team wants a VPN-less solution managed from a single, organization-level control that can later be reused. What should you do?
Deploy the portal on a private Cloud Run service behind an internal load balancer and use Firebase Authentication in the application to restrict access from managed laptops.
Implement Identity Platform tokens verified by a Cloud Function that checks device serial numbers stored in Secret Manager, and place Cloud CDN in front of the load balancer to accept traffic only from EU locations.
Attach a Cloud Armor policy that blocks non-EU IP addresses, require staff to use the corporate VPN with allow-listed egress IPs, and grant employees the Cloud Run Invoker role.
Enable Identity-Aware Proxy on the load balancer and create an organization-level Context-Aware Access custom access level that requires Google Workspace authentication, Endpoint Verification-validated devices, and EU source IP ranges; attach this access level to the Cloud Run backend service.
Identity-Aware Proxy (IAP) can secure Cloud Run services exposed through an external HTTP(S) load balancer. When combined with Context-Aware Access, you attach custom access levels that describe who and under which context requests are allowed. A single custom access level can simultaneously require Google Workspace authentication, Endpoint Verification-compliant devices, and IP addresses belonging to EU ranges. The policy is defined once at the organization level and reused for any other IAP-protected backend, giving central management without forcing employees onto a VPN. The alternative approaches either lack device or identity checks, depend on VPN connectivity, or duplicate built-in capabilities with custom code.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Identity-Aware Proxy (IAP)?
Open an interactive chat with Bash
What is Context-Aware Access and how does it work?
Open an interactive chat with Bash
How does Endpoint Verification ensure device compliance?
Open an interactive chat with Bash
What is Identity-Aware Proxy (IAP)?
Open an interactive chat with Bash
What is Context-Aware Access?
Open an interactive chat with Bash
How does Endpoint Verification work?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Designing for security and compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .