You have an administrative application running on port 5601 within a VM in a managed instance group. The VM resides in a Google Cloud VPC and currently has no internet access. You need to securely expose the web interface on port 5601 to users, requiring them to authenticate with their Google credentials.

What is the recommended approach?

Exam-Like

Configure the bastion host with OS Login enabled and allow connection to port 5601 at VPC firewall. Log in to the bastion host from the Google Cloud console by using SSH-in-browser and then to the web application.

Modify the VPC routing with the default route point to the default internet gateway. Modify the VPC Firewall rule to allow access from the internet 0.0.0.0/0 to port 5601 on the application instance.

Configure Secure Shell Access (SSH) bastion host in a public network, and allow only the bastion host to connect to the application on port 5601. Use a bastion host as a jump host to connect to the application.

Configure an HTTP Load Balancing instance that points to the managed group with Identity-Aware Proxy (IAP) protection with Google credentials. Modify the VPC firewall to allow access from IAP network range.

Google Professional Cloud Security Engineer

Get started today

Comments