Crucial Exams

GCP Professional Cloud Architect Practice Question

Your company runs a customer-facing ecommerce application on regional GKE clusters in us-central1 and europe-west1. Traffic is served through a global external HTTP(S) load balancer with Cloud CDN enabled. The security team requires (1) automatic mitigation of large-scale DDoS and OWASP Top 10 attacks at the edge and (2) detection of command-and-control or malware traffic inside the VPC without installing host agents. Which solution meets both requirements with minimal ongoing operations?

  • Use Cloud CDN signed URLs to absorb DDoS attacks and analyze VPC Flow Logs in Cloud Logging and Security Command Center to detect malicious traffic patterns.

  • Create a bastion host secured by OS Login, add rate-limiting VPC firewall rules on the load balancer, and use Packet Mirroring to send traffic to a self-managed Suricata IDS cluster.

  • Replace the HTTP(S) load balancer with a TCP Proxy Load Balancer that has Google-managed protection enabled and rely on GKE network policies for internal threat detection.

  • Attach a Cloud Armor policy with adaptive DDoS protection and WAF rules to the HTTP(S) load balancer and create Cloud IDS endpoints in each regional subnet to monitor VPC traffic.

GCP Professional Cloud Architect
Managing and provisioning a solution infrastructure
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot