You have deployed several instances on Compute Engine. As a security requirement, instances cannot have a public IP address. There is no VPN connection between Google Cloud and your office, and you need to connect via SSH into a specific machine without violating the security requirements. What should you do?
Choose an answer
Tap an option to check your answer.
Correct answer: Configure Identity-Aware Proxy (IAP) for the instance and ensure that you have the role of IAP-secured Tunnel User. Use the gcloud command line tool to ssh into the instance..
Why this is the answer
The correct solution is to use Identity-Aware Proxy (IAP) for TCP forwarding. IAP allows you to establish a secure SSH connection to a Compute Engine instance that does not have a public IP address, without needing a VPN or bastion host. By assigning the IAP-secured Tunnel User role, you grant permission to use IAP for tunneling. The gcloud compute ssh command can then leverage IAP to connect to the private instance. Cloud NAT is used to allow instances without public IPs to initiate outbound connections to the internet, not to receive inbound connections like SSH. TCP Proxy Load Balancing is designed to distribute traffic across multiple instances for services, not for direct SSH access to a specific private instance. A bastion host would work, but it requires deploying and managing an additional instance, which is less secure and more complex than using IAP, especially when the goal is to avoid public IPs on the target instances.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed