🔵 Security & Compliance
Cloud Armor, VPC Service Controls, Security Command Center, BeyondCorp
🛡️ Cloud Armor
DDoS protection va WAF (Web Application Firewall) — HTTP(S) Load Balancer bilan birga. Security policies: allow/deny rules, IP geo-blocking, rate limiting. Managed protection rules: OWASP Top 10 (SQL injection, XSS). Cloud Armor Adaptive Protection — ML asosida DDoS detection. Standard va Plus tier.
🔒 VPC Service Controls
Service Perimeter — GCP xizmatlar (BigQuery, Cloud Storage, GCR) atrofida virtual chegara. Perimeterdan tashqaridan kirish bloklangan. Access levels — conditional access (IP, device, geo). Data exfiltration oldini olish. GCP projectlar guruhi uchun.
🔭 Security Command Center (SCC)
GCP security posture management. Findings: misconfigurations, vulnerabilities, threats. Asset inventory — barcha GCP resurslar. Standard tier: basic findings. Premium tier: threat detection (Event Threat Detection, Container Threat Detection), compliance reports (PCI, HIPAA). Organization darajasida.
🌐 BeyondCorp Enterprise & Identity
BeyondCorp — Zero Trust access model. VPN emas, context-based access: kim (identity), qaysi qurilma (device), qayerdan (location). Identity-Aware Proxy (IAP) — app ga kirish uchun Google identity. Cloud Identity — managed identity provider (user/group/device). Workforce Identity Federation — on-premises IdP integration.
📊 GCP Security Xizmatlar
| Xizmat | Himoya | Qatlam |
|---|---|---|
| Cloud Armor | DDoS, WAF, rate limit | Network/App (Layer 3-7) |
| VPC Service Controls | Service perimeter, data exfil | API/Service level |
| IAP | Identity-based app access | Application level |
| SCC | Posture, threats, compliance | Organization level |
| Cloud KMS | Encryption key management | Data level |
💡 Asosiy nuqtalar
- Cloud Armor: DDoS + WAF, HTTP(S) LB bilan
- VPC Service Controls: service perimeter, data exfiltration oldini olish
- SCC: security posture, misconfig, threat detection
- IAP: VPN emas, identity-based app access
- BeyondCorp: Zero Trust — identity + device + context
🎯 Imtihon maslahatlari
- Cloud Armor — faqat HTTP(S) LB bilan ishlaydi, TCP/UDP LB da yo'q
- VPC Service Controls = VPC firewall emas — API service perimeter, ikkisi birgalikda ishlatiladi
- IAP — "VPN o'rniga" keyword: browser orqali Google identity bilan GCE/GKE app ga kirish
- SCC Premium — threat detection (malware, crypto mining, brute force)
- BeyondCorp Enterprise = Google's internal Zero Trust, commercial product sifatida
⚠️ Ko'p adashadigan
- VPC Service Controls = VPC Firewall deb o'ylash: Firewall=network traffic, Service Controls=GCP API access
- Cloud Armor barcha LB da ishlaydi deb o'ylash — faqat Global HTTP(S) External LB
- IAP = VPN deb o'ylash — IAP VPN emas, application darajasida identity-based proxy
🧠 Eslab qolish: "AVIS" = Armor (DDoS/WAF), VPC Service Controls (perimeter), IAP (identity proxy), SCC (security posture) — GCP security 4 asosiy qatlam
Security & Compliance bo'yicha o'zingizni sinab ko'ring
Bepul interaktiv quiz, mock imtihon va to'liq darslar — CertMaster platformasida.
Bepul boshlash →