PROFESSIONAL-CLOUD-DEVELOPER Question #364: Real Exam Question with Answer & Explanation

Question

You are designing a microservices application on GKE that will expose a public API to users. Users will interact with the application by using OAuth 2.0, and illegitimate requests should receive a 403 response code. You need the API to be resilient against distributed denial of service (DDoS) attacks and critical security risks such as SQL injection (SQLi) and cross-site scripting (XSS). You want to design the application's architecture while following Google- recommended practices. What should you do?

Options

• AInstall Service Mesh in your GKE cluster. Configure Service Mesh user authentication to integrate
• BRun an Apache HTTP server on Cloud Run to expose a service with a public IP address.
• CUse an external Application Load Balancer with Cloud Armor. Integrate Cloud Armor with
• DUse an external Application Load Balancer with Cloud Armor, and configure the load balancer to

Explanation

This architecture provides a robust and secure setup for public APIs on GKE: - External Application Load Balancer: It allows you to manage incoming traffic and adds resilience against DDoS attacks. - Cloud Armor: Protects against DDoS, SQL injection, XSS, and other critical threats with pre- configured WAF (Web Application Firewall) rules. - Apigee: As an API management layer, Apigee can handle OAuth 2.0, manage API authentication and authorization, and provide additional security features for API traffic validation. - GKE as the backend: The load balancer can forward validated traffic to the GKE cluster, where the microservices run. This solution follows Google-recommended practices by leveraging Apigee for API security, Cloud Armor for DDoS protection and threat mitigation, and an external load balancer for resilient traffic management.

No community discussion yet for this question.