GCP Professional Cloud Architect Practice Question

Your security team must add network-based threat detection to a group of Google Cloud projects that host external web applications behind global external HTTP(S) load balancers and several internal microservices that communicate across VPC peered networks. The solution must

detect known malware, command-and-control activity, and lateral movement in both north-south (internet-facing) and east-west (VPC-to-VPC) traffic,
be fully managed and kept current by the provider, leveraging industry-standard threat signatures,
avoid adding latency or changing the routing path for production packets, and
automatically surface high-fidelity findings in Security Command Center without additional tooling. Which architecture best meets all of these requirements?

Enable VPC Flow Logs at 100 percent sampling, export logs to Cloud Logging, and build log-based metrics with Cloud Monitoring alerts for suspicious patterns across all VPC networks.
Attach Cloud Armor web application firewall policies and Adaptive Protection to all external HTTP(S) load balancers and rely on its threat intelligence feeds for both north-south and east-west traffic inspection.
Create Cloud IDS endpoints in each required region, configure Packet Mirroring in every relevant subnet and load balancer backend to mirror traffic to the endpoints, and rely on Cloud IDS's native integration with Security Command Center for alerting.
Provision Suricata IDS instances behind an internal TCP load balancer and update subnet routes so that all application and inter-service traffic is forced through the Suricata tier before reaching its destination.

Report Issue

Answer Description

Cloud IDS is Google Cloud's managed network-based intrusion detection service built with Palo Alto Networks technology. You deploy a Cloud IDS endpoint in each region and use Packet Mirroring policies to send copies of selected traffic streams-both from external load balancer backends (north-south) and between VPC networks (east-west)-to the service. Because Packet Mirroring forwards copies of packets, it does not introduce in-line latency or require routing changes. Cloud IDS is maintained by Google, automatically updated with the latest threat signatures, and its detections are published directly to Security Command Center.

Cloud Armor provides L7 DDoS and WAF protection but does not inspect east-west traffic or offer full intrusion detection. VPC Flow Logs with custom metrics give useful visibility but do not perform signature-based threat detection. Running Suricata yourself would satisfy detection goals but is self-managed and requires steering traffic through the instance, adding latency and operational burden. Therefore, using Cloud IDS with Packet Mirroring is the only option that fulfills all stated constraints.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.