Your organization hosts a sensitive web application on Google Cloud. To secure this application, you've created a VPC with dedicated subnets for its frontend and backend. You need to set up security controls to restrict incoming traffic, defend against web-based attacks, and monitor internal network activity. What should you do?