Google Professional Cloud Architect

Get started today

Ultimate access to all questions.

Quick Answer

Answer-first summary for fast verification

Answer: Configure Identity-Aware Proxy (IAP) for the instance and ensure that you have the role of IAP-secured Tunnel User. Use the gcloud command line tool to ssh into the instance.

The correct answer is C because it uses Identity-Aware Proxy (IAP) TCP forwarding, which provides secure SSH access without requiring any instances to have public IP addresses, aligning with the security requirement. IAP establishes an encrypted tunnel through Google's infrastructure, leveraging IAM for authentication (IAP-secured Tunnel User role) and authorization, and allows SSH via the gcloud command-line tool. This method avoids exposing instances to the public internet and is a Google Cloud best practice. Option D (bastion host) is incorrect because it typically requires a public IP for the bastion instance to be accessible from the office, violating the 'no public IP' policy. Options A and B are unsuitable: A (Cloud NAT) only handles egress traffic, not inbound SSH, and B (TCP Proxy Load Balancing) distributes traffic but does not enable direct SSH to a specific instance. The community discussion, with 74% favoring C and high upvotes for comments supporting IAP, reinforces this as the optimal choice based on security and GCP native features.

Author: LeetQuiz Editorial Team

Quick Answer

Answer-first summary for fast verification

Answer: Configure Identity-Aware Proxy (IAP) for the instance and ensure that you have the role of IAP-secured Tunnel User. Use the gcloud command line tool to ssh into the instance.

Author: LeetQuiz Editorial Team

Comments (0)

No comments yet.

You have deployed multiple Compute Engine instances that cannot have public IP addresses due to security requirements. There is no VPN connection between Google Cloud and your office. How can you establish an SSH connection to a specific instance without violating the security policy?

Exam-Like

Configure Cloud NAT on the subnet where the instance is hosted. Create an SSH connection to the Cloud NAT IP address to reach the instance.

5.0%

Add all instances to an unmanaged instance group. Configure TCP Proxy Load Balancing with the instance group as a backend. Connect to the instance using the TCP Proxy IP.

2.5%

Configure Identity-Aware Proxy (IAP) for the instance and ensure that you have the role of IAP-secured Tunnel User. Use the gcloud command line tool to ssh into the instance.

72.5%

Create a bastion host in the network to SSH into the bastion host from your office location. From the bastion host, SSH into the desired instance.

20.0%