Answer-first summary for fast verification
Answer: Implement Identity-Aware Proxy TCP forwarding for the bastion host.
The question requires removing the bastion host's public IP address while maintaining remote access for SREs from public locations. Identity-Aware Proxy (IAP) TCP forwarding (Option C) is the optimal solution because it allows secure SSH access without exposing the bastion host directly to the internet. IAP acts as a managed proxy, authenticating users via Google Cloud Identity and forwarding authorized TCP traffic to internal resources, eliminating the need for public IPs. This directly addresses the security requirement of reducing the external attack surface. Option A (Cloud VPN) would require maintaining public IPs or complex VPN setups, not removing them. Option B (OS Login with 2FA) enhances authentication but doesn't remove the public IP requirement. Option D (Cloud Armor) provides DDoS protection but still requires a public IP, failing to reduce the attack surface as requested. The community discussion shows 100% consensus on Option C, with detailed explanations confirming IAP TCP forwarding is the correct approach for this scenario.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
You need to reduce the external attack surface of a Linux bastion host by removing its public IP address, while still allowing Site Reliability Engineers (SREs) to access it from public locations to reach the internal VPC. How should you provide this access?
A
Implement Cloud VPN for the region where the bastion host lives.
B
Implement OS Login with 2-step verification for the bastion host.
C
Implement Identity-Aware Proxy TCP forwarding for the bastion host.
D
Implement Google Cloud Armor in front of the bastion host.