Google Cloud Professional Cloud Architect — Question 136

You have deployed several instances on Compute Engine. As a security requirement, instances cannot have a public IP address. There is no VPN connection between Google Cloud and your office, and you need to connect via SSH into a specific machine without violating the security requirements. What should you do?

Answer options

• A. Configure Cloud NAT on the subnet where the instance is hosted. Create an SSH connection to the Cloud NAT IP address to reach the instance.
• B. Add all instances to an unmanaged instance group. Configure TCP Proxy Load Balancing with the instance group as a backend. Connect to the instance using the TCP Proxy IP.
• C. Configure Identity-Aware Proxy (IAP) for the instance and ensure that you have the role of IAP-secured Tunnel User. Use the gcloud command line tool to ssh into the instance.
• D. Create a bastion host in the network to SSH into the bastion host from your office location. From the bastion host, SSH into the desired instance.

Correct answer: C

Explanation

The correct answer is C because configuring Identity-Aware Proxy (IAP) allows you to securely connect to instances without public IPs, provided you have the necessary role. Option A is incorrect as Cloud NAT is used for outbound connections, not for SSH access. Option B is not suitable since TCP Proxy Load Balancing is not designed for direct SSH connections to instances. Option D involves additional steps with a bastion host, which is unnecessary when IAP can provide direct access.