Question 1 - Google Apigee-API-Engineer Real Exam Questions [Jan 2026 Update]

Q: 1

As an Apigee API Engineer you attend a meeting where a Product Owner would like to release a new feature to customers. There are several teams in the meeting, Backend API team, Apigee API team, and the Security team. The feature will be exposed through the companies external facing website. The architecture allows the website to call the backend APIs directly. The security team raises a concern about the backend APIs being wide open to anyone inside the network, not just the external website. You are later contacted and asked for your teams impacts. How should you reply?

Options

Correct Answer:

Explanation

The security team's concern is about access control—specifically, that any internal service can call the backend APIs, not just the intended website. The current architecture bypasses any policy enforcement point. Recommending a design change to place an Apigee microgateway in front of the backend APIs directly solves this problem. The microgateway acts as a lightweight, containerized policy enforcement point for internal ("east-west") traffic. This allows the Apigee team to apply standard security policies like API key validation, OAuth, or IP-based access control, ensuring that only authorized clients (like the website) can access the backend services.

Why Incorrect

A. You should recommend an Apigee Edge Access Control policy: This policy would be ineffective because the question states the website calls the backend APIs directly, meaning traffic does not pass through the Apigee Edge gateway where policies are enforced.

B. You should recommend that the backend API's use TLS v12 to secure their APIs: TLS encrypts data in transit, protecting against eavesdropping. However, it does not solve the access control problem; an unauthorized internal client could still establish a valid TLS connection and call the API.

C. You should recommend the use of custom secure headers with time stamp verification: This creates a custom, non-standard security solution that is difficult to manage, scale, and audit. It is better to use a standard API management component like a microgateway for this purpose.

---

References

1. Google Cloud - Apigee Documentation

"About Apigee hybrid": This document explains the role of the hybrid runtime plane

which is based on a microgateway architecture. It states

"All API traffic passes through and is processed within the runtime plane... This allows you to leverage Apigee API management capabilities like security

traffic management

and analytics...". This supports using a microgateway as the policy enforcement point for API traffic.

Reference: Google Cloud Documentation > Apigee > Hybrid > gcp/apigee/hybrid/v1.8/about-hybrid

2. Google Cloud - Apigee Documentation

"Microgateway versus API proxy": This section clarifies the use case for a microgateway. It highlights that a key reason to use a microgateway is for "low latency for services that run in close proximity

" which is typical for internal traffic between a website's backend and other backend services within the same network or cloud environment.

Reference: Google Cloud Documentation > Apigee > Edge > private-cloud/v4.50.00/edge-microgateway-overview#microgatewayversusapiproxy

3. Google Cloud - Apigee Documentation

"Access Control policy": The documentation for this policy states

"The AccessControl policy lets you allow or deny access to your APIs by specific IP addresses." This confirms its function is access control

but its placement within an API proxy flow means it is only effective if traffic is routed through the Apigee gateway.

Reference: Google Cloud Documentation > Apigee > Edge > api-platform/reference/policies/access-control-policy

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE