Google Professional Cloud Architect
You are managing a set of virtual machines deployed on Google Cloud's Compute Engine. Due to security policies, these instances are not allowed to have public IP addresses. Additionally, your office does not have a VPN connection to Google Cloud, making direct private network connectivity unavailable. Despite these constraints, you need to establish an SSH connection to access a particular instance securely. What strategy should you employ to connect to the instance without violating the security requirements?
Exam-Like
A
Configure Cloud NAT on the subnet where the instance is hosted. Create an SSH connection to the Cloud NAT IP address to reach the instance.
B
Add all instances to an unmanaged instance group. Configure TCP Proxy Load Balancing with the instance group as a backend. Connect to the instance using the TCP Proxy IP.
C
Configure Identity-Aware Proxy (IAP) for the instance and ensure that you have the role of IAP-secured Tunnel User. Use the gcloud command line tool to ssh into the instance.
D
Create a bastion host in the network to SSH into the bastion host from your office location. From the bastion host, SSH into the desired instance.
Explanation:
The correct answer is C. Configure Identity-Aware Proxy (IAP) for the instance and ensure that you have the role of IAP-secured Tunnel User. Use the gcloud command line tool to ssh into the instance. IAP TCP forwarding allows you to establish an encrypted tunnel over which you can forward SSH traffic to VM instances without the need for a public IP or a dedicated VPN connection. This method adheres to the security requirement of not assigning public IP addresses to instances while still providing secure SSH access.