Domain 3: Designing for Security and Compliance — GCP PCA Practice Question 43

How to approach this question

Securing Cloud Run involves two layers: Network security (Ingress settings) and Identity security (IAM Invoker role).

Full Answer

Securing a fully managed Cloud Run service requires configuring both network and identity controls. Setting Ingress to 'Internal' blocks all traffic originating from the public internet. Removing `allUsers` from the `Cloud Run Invoker` IAM role ensures that even if a request originates from within the VPC, the caller must present a valid Google-signed identity token to execute the service.

Common mistakes

Thinking Cloud Run is deployed inside a VPC subnet (D). Fully managed Cloud Run is serverless and exists outside your VPC; you use Serverless VPC Access or Internal Ingress to bridge the network gap.

You are deploying an internal microservice using Cloud Run. The service should only be accessible by other resources within your VPC network and should not be reachable from the public internet. Which TWO configurations must you apply to secure the Cloud Run service? (Select TWO)

How to approach this question

Full Answer

Common mistakes

Practice the full GCP Professional Cloud Architect Practice Exam 3

More questions from this exam