A company wants to use Cloud Armor to block traffic from specific countries to comply with data sovereignty requirements. They have a global HTTP Load Balancer configured. Where should they configure the Cloud Armor policy?
Cloud Armor policies are applied to backend services.
Why this answer
Cloud Armor policies must be attached to a backend service (or backend bucket) of a global HTTP(S) Load Balancer to filter traffic at the edge. This allows the policy to evaluate incoming requests based on geographic location before they reach the backend, enforcing data sovereignty rules without modifying VPC networking or firewall rules.
Exam trap
Google Cloud often tests the misconception that Cloud Armor is a VPC-level firewall feature, leading candidates to choose VPC firewall rules or network-level attachments, when in fact it is a load balancer backend service security policy that operates at the application layer on Google's global edge.
How to eliminate wrong answers
Option A is wrong because Cloud Armor policies are not attached to VPC networks; they are applied to load balancer backend services or backend buckets, not to the underlying network infrastructure. Option C is wrong because Organization Policy constraints are used for governance controls (e.g., restricting resource locations) and cannot filter traffic by country at the application layer. Option D is wrong because firewall rules operate at the network layer (IP/port) within a VPC and cannot inspect HTTP request attributes like geographic origin; Cloud Armor uses Google's global edge infrastructure for geolocation-based filtering.