A startup is building a web application and wants to protect it from common web attacks like SQL injection and cross-site scripting. Which Google Cloud product provides web application firewall (WAF) capabilities?
Cloud Armor is Google Cloud's WAF. It includes preconfigured rule sets for OWASP Top 10 vulnerabilities including SQL injection and XSS, and operates at the application layer (Layer 7) where it can inspect HTTP requests. It also provides DDoS protection.
Why this answer
Cloud Armor is Google Cloud's web application firewall (WAF) service that provides pre-configured rules to detect and block common web attacks, including SQL injection and cross-site scripting (XSS), as well as other OWASP Top 10 threats. It integrates with Cloud Load Balancing and allows you to create custom security policies with rate limiting, IP allow/deny lists, and managed rule sets. This makes it the correct choice for protecting a web application at the application layer.
Exam trap
The trap here is confusing network-layer firewalls (Cloud Firewall) with application-layer WAFs (Cloud Armor), leading candidates to choose Option A because both contain 'Firewall' in the name, but they operate at completely different layers of the OSI model.
How to eliminate wrong answers
Option A is wrong because Cloud Firewall operates at the network layer (Layer 3/4) controlling traffic based on IP addresses, ports, and protocols, and does not inspect application-layer payloads for SQL injection or XSS. Option C is wrong because VPC Service Controls are designed to prevent data exfiltration by creating perimeters around Google Cloud services, not to inspect HTTP/HTTPS traffic for web attacks. Option D is wrong because Security Command Center is a security management and vulnerability detection platform that identifies misconfigurations and threats across resources, but it does not provide inline WAF rule enforcement to block malicious requests in real time.