GCP Professional Cloud Security Engineer Practice Question
Your company hosts an internal admin UI on Compute Engine VMs behind an external HTTP(S) load balancer. You must expose the UI to selected contractors who use their own Google Workspace identities, but block everyone else-including employees-unless their device meets company policies and the request is made during business hours. You want to avoid deploying a VPN, modifying application code, or distributing client certificates. Which Google Cloud feature provides the most appropriate control?
Private Service Connect endpoint for the service, restricted through IAM permissions
Cloud Armor security policy using custom rules and threat-intelligence-based blocking
VPC firewall rules that allow ingress only from approved source IP ranges and target tags
Identity-Aware Proxy with context-aware access levels bound to the load balancer's backend service
Identity-Aware Proxy (IAP) can sit in front of an external HTTP(S) load balancer and evaluate each request against IAM policy and context-aware access levels. By combining an IAP-secured Web App User role with access levels that check user group membership, device posture, and time-based conditions, you achieve a zero-trust model without altering the application or requiring a VPN. Cloud Armor inspects L7 traffic but cannot enforce identity or device context. VPC firewall rules filter only on IP, protocol, and tags, not on user or device attributes. Private Service Connect provides private networking paths but leaves authentication and contextual enforcement to the backend, so it does not natively satisfy the stated requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Identity-Aware Proxy (IAP)?
Open an interactive chat with Bash
What are context-aware access levels in Google Cloud?
Open an interactive chat with Bash
Why is Cloud Armor not the right choice for identity-based access control?
Open an interactive chat with Bash
What is Identity-Aware Proxy (IAP) in Google Cloud?
Open an interactive chat with Bash
What are context-aware access levels in Google Cloud?
Open an interactive chat with Bash
How does Identity-Aware Proxy compare to Cloud Armor?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .