Explanation:
Option C is the optimal choice because it uses Identity-Aware Proxy (IAP), a Google-managed service that provides secure, identity-based access without requiring public IPs on the VMs. This enhances security by enforcing context-aware access controls and reduces costs by eliminating the need for additional infrastructure like VPN gateways or jump hosts. The community discussion strongly supports C (89% consensus), highlighting IAP's managed security benefits and cost-effectiveness. Option A (site-to-site VPN) is less cost-effective for occasional access due to ongoing VPN costs. Option B (public IPs with firewall rules) exposes VMs to the internet, reducing security. Option D (jump host) incurs additional VM and maintenance costs, making it less efficient than the managed IAP solution.
Ultimate access to all questions.
You have multiple private Google Compute Engine virtual machines that you occasionally need to access via SSH from a remote location. You want to configure this remote access to be both highly secure and cost-effective.
What should you do?
A
Create a site-to-site VPN from your corporate network to Google Cloud.
B
Configure server instances with public IP addresses. Create a firewall rule to only allow traffic from your corporate IPs.
C
Create a firewall rule to allow access from the Identity-Aware Proxy (IAP) IP range. Grant the role of an IAP-secured Tunnel User to the administrators.
D
Create a jump host instance with public IP. Manage the instances by connecting through the jump host.
No comments yet.