Google Professional Cloud Security Engineer

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Configure an HTTP Load Balancing instance that points to the managed group with Identity-Aware Proxy (IAP) protection with Google credentials. Modify the VPC firewall to allow access from IAP network range.

Option D is the correct answer because it uses Identity-Aware Proxy (IAP) with an HTTP Load Balancer, which provides secure authentication and authorization using Google credentials without exposing the VM directly to the internet. IAP verifies user identity before allowing access, and the load balancer handles traffic distribution securely. The VPC firewall rule is modified to only allow access from the IAP network range, enhancing security. Option A involves using a bastion host with OS Login, but it does not enforce Google credential authentication for the web application itself and may expose the application less securely. Option B directly exposes the application to the internet (0.0.0.0/0), which is insecure and does not enforce Google credential-based authentication. Option C uses a bastion host as a jump host but lacks built-in Google credential authentication for the web application, making it less suitable for the requirement. The community discussion shows a strong consensus for D (80% of votes), with upvoted comments emphasizing IAP's authentication benefits and secure access without internet exposure for the VM.

Author: LeetQuiz Editorial Team

Quick Answer

Answer-first summary for fast verification

Author: LeetQuiz Editorial Team

Comments (0)

No comments yet.

You have an administrative application running on port 5601 within a VM in a managed instance group. The VM resides in a Google Cloud VPC and currently has no internet access. You need to securely expose the web interface on port 5601 to users, requiring them to authenticate with their Google credentials.

What is the recommended approach?

Exam-Like

Configure the bastion host with OS Login enabled and allow connection to port 5601 at VPC firewall. Log in to the bastion host from the Google Cloud console by using SSH-in-browser and then to the web application.

50.0%

Modify the VPC routing with the default route point to the default internet gateway. Modify the VPC Firewall rule to allow access from the internet 0.0.0.0/0 to port 5601 on the application instance.

0.0%

Configure Secure Shell Access (SSH) bastion host in a public network, and allow only the bastion host to connect to the application on port 5601. Use a bastion host as a jump host to connect to the application.

Configure an HTTP Load Balancing instance that points to the managed group with Identity-Aware Proxy (IAP) protection with Google credentials. Modify the VPC firewall to allow access from IAP network range.