Google Cloud Associate Cloud Engineer — Question 236

You have deployed an application on a Compute Engine instance. An external consultant needs to access the Linux-based instance. The consultant is connected to your corporate network through a VPN connection, but the consultant has no Google account. What should you do?

Answer options

• A. Instruct the external consultant to use the gcloud compute ssh command line tool by using Identity-Aware Proxy to access the instance.
• B. Instruct the external consultant to use the gcloud compute ssh command line tool by using the public IP address of the instance to access it.
• C. Instruct the external consultant to generate an SSH key pair, and request the public key from the consultant. Add the public key to the instance yourself, and have the consultant access the instance through SSH with their private key.
• D. Instruct the external consultant to generate an SSH key pair, and request the private key from the consultant. Add the private key to the instance yourself, and have the consultant access the instance through SSH with their public key.

Correct answer: C

Explanation

Option C is correct because it involves the consultant generating an SSH key pair and you adding the public key to the instance, allowing for secure access. Option A is incorrect as Identity-Aware Proxy requires a Google account. Option B is wrong because using a public IP for SSH access without proper key management is less secure. Option D is incorrect because sharing a private key is a security risk and not how SSH is designed to work.