Answer-first summary for fast verification
Answer: 1. Allow ingress traffic from the IP range 35.235.240.0/20 on port 22. 2. Use the gcloud compute ssh command with the --tunnel-through-iap flag.
Option A is incorrect because attaching a public IP to the instances and allowing incoming connections from the internet on port 22 for SSH poses security risks, such as potential brute-force attacks and unauthorized access. Option B is correct because using the gcloud compute ssh command with the --tunnel-through-iap flag leverages Google Cloud's Identity-Aware Proxy (IAP) for secure SSH access. IAP adds an additional layer of security by requiring user authentication and authorization before granting access. Allowing ingress traffic from the IP range 35.235.240.0/20 on port 22 ensures that only traffic from Google's IAP service can reach the instances, enhancing security. Option C is incorrect as relying on a third-party tool for remote access might introduce complexity, additional costs, and potential compatibility issues. Option D is incorrect because while creating a bastion host is a valid approach, it doesn't utilize Google Cloud's built-in IAP feature, which offers a more secure and managed way to handle instance access.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
As the lead security engineer at your organization, after migrating Linux VMs to Google Cloud, you need to ensure secure access to these VMs without incurring extra charges. What is the best approach?
A
B
C
Provide remote access to the instances using a third-party tool.
D