Google Cloud Professional Cloud Developer — Question 120

You are developing a web application that will be accessible over both HTTP and HTTPS and will run on Compute Engine instances. On occasion, you will need to SSH from your remote laptop into one of the Compute Engine instances to conduct maintenance on the app. How should you configure the instances while following Google-recommended best practices?

Answer options

• A. Set up a backend with Compute Engine web server instances with a private IP address behind a TCP proxy load balancer.
• B. Configure the firewall rules to allow all ingress traffic to connect to the Compute Engine web servers, with each server having a unique external IP address.
• C. Configure Cloud Identity-Aware Proxy API for SSH access. Then configure the Compute Engine servers with private IP addresses behind an HTTP(s) load balancer for the application web traffic.
• D. Set up a backend with Compute Engine web server instances with a private IP address behind an HTTP(S) load balancer. Set up a bastion host with a public IP address and open firewall ports. Connect to the web instances using the bastion host.

Correct answer: C

Explanation

The correct answer, C, ensures secure SSH access through Cloud Identity-Aware Proxy while maintaining private IPs for the Compute Engine servers, which is a best practice for security. Option A does not address SSH access, option B exposes the servers unnecessarily by allowing all ingress traffic, and option D complicates the setup by introducing a bastion host when not needed for this scenario.