GCP Professional Cloud Security Engineer Practice Question
Your company is launching a multi-region e-commerce platform on Google Cloud. A global external Application Load Balancer has already been deployed to distribute traffic to GKE back-ends. Security policy requires that traffic is encrypted with a certificate that is automatically provisioned and rotated by Google and that a single certificate secures both shop.example.com and api.example.com. Which approach meets these requirements with the least operational effort?
Create a Google-managed certificate resource in Certificate Manager that lists both hostnames, update public A and AAAA records to resolve the names to the load balancer's global forwarding rule IP, and attach the certificate to the load balancer's target HTTPS proxy.
Annotate the GKE Ingress with the ssl-cert annotation and create two separate managed certificates, one per hostname; rely on the Kubernetes Ingress controller to terminate TLS on the GKE nodes.
Enable Cloud Armor Advanced on the load balancer and select automatic SSL; Google will issue and rotate certificates without further configuration.
Generate a CSR on a bastion host, purchase a public certificate for each hostname, import the certificates and private keys into Cloud Key Management Service, and reference them from the backend services.
Google-managed SSL certificates are free, support multiple hostnames on a single certificate, and are automatically provisioned and renewed by Google. To allow Google to obtain and validate the certificate, you must 1) create a managed certificate resource listing all required DNS names, 2) make sure public A or AAAA records for each hostname map to the load balancer's global forwarding-rule IP address, and 3) bind the certificate to the HTTPS target proxy used by the external Application Load Balancer for TLS termination. No private key handling, manual renewals, or per-backend configuration is required. The other options either rely on self-managed certificates, unavailable "automatic SSL" features, or place TLS termination on GKE rather than the Application Load Balancer, and therefore do not satisfy the stated constraints or add unnecessary operational overhead.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Google-managed certificate in Certificate Manager?
Open an interactive chat with Bash
How do A and AAAA DNS records help in configuring SSL certificates?
Open an interactive chat with Bash
What is the role of the HTTPS target proxy in an external Application Load Balancer?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Securing communications and establishing boundary protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .