You have deployed several instances on Compute Engine. As a security requirement, instances cannot have a public IP address. There is no VPN connection between Google Cloud and your office, and you need to connect via SSH into a specific machine without violating the security requirements. What should you do?
To securely access a Compute Engine instance without a public IP address and without violating the security requirements, you should use Identity-Aware Proxy (IAP). By configuring IAP for the instance and ensuring you have the role of IAP-secured Tunnel User, you can use the gcloud command-line tool to create an encrypted tunnel that allows you to establish an SSH connection. This method does not require a VPN or an external bastion host, thereby maintaining the security integrity of not having public IP addresses on instances.
Answer is C. https://cloud.google.com/iap/docs/using-tcp-forwarding#tunneling_with_ssh
100% Agree. I use IAP all the time which allows me to reduce exposure to VM from public internet. Ans is C
Agee too. Bastion host violates security requirements due to it has public IP :)
https://cloud.google.com/iap/docs/using-tcp-forwarding#tunneling_with_ssh "IAP TCP forwarding allows you to establish an encrypted tunnel over which you can forward SSH, RDP, and other traffic to VM instances" But Options C says ,,,,, SSH from IAP .. which is not true.
And D seems correct, bastion host is specifically used for this purpose, using option C user can connect through cloud only. By using a bastion host, you can connect to an VM that does not have an external IP address. This approach allows you to connect to a development environment or manage the database instance for your external application, for example, without configuring additional firewall rules. https://cloud.google.com/solutions/connecting-securely
Except the policy is no machines can have public IP's, how do you connect to the bastion?
It's never mentioned that there's no public IP in all GCP services, it just said instances no public IP, which is very normal. that's why bastion inward, and NAT outward.
C. no network connection between office and cloud. Can't use bastion. What C fails to say or specify is if you are either using cloud shell gcloud or you downloaded the sdk on local. Dumb question without clarification. Assuming silly test writers conflate gcloud always being used in cloud shell. So you are in cloud shell, you have internal access since the shell resides inside the VPC network with all perms.
" There is no VPN connection between Google Cloud and your office". If there would be no network connection betweek office and the cloud you could not use any of google services
But you can always SSH to bastion host from internet .. as ports are open usually https://cloud.google.com/iap/docs/using-tcp-forwarding#tunneling_with_ssh "IAP TCP forwarding allows you to establish an encrypted tunnel over which you can forward SSH, RDP, and other traffic to VM instances". it is Traffic forwarding ... But Options C says ,,,,, SSH from IAP .. which is not true.
If you're looking for word precision then: Option C says "Use the gcloud command line tool to ssh into the instance. Most Voted" So I think C is still correct.
Question states: "As a security requirement, instances cannot have a public IP address" If you install a Public IP on the GCE Bastion host you violate the security requirement. If you install a Private IP on the GCE bastion host you need a private route (e.g. VPN) or NAT to it. The question scenario seems specific to point to the IAP SSH tunnel feature.
As per chatGPT answer is C. Identity-Aware Proxy (IAP) is a Google Cloud service that provides secure access to VM instances without exposing them to the internet. It allows you to establish a secure SSH connection to a VM instance via the Google Cloud Console or the gcloud command-line tool, using OAuth 2.0-based authentication and authorization. With IAP, you can set up secure, encrypted tunnels to your VM instances, without the need for a VPN or an external bastion host. By configuring IAP for the instance and ensuring that you have the IAP-secured Tunnel User role, you can securely access the instance using the gcloud command-line tool to SSH into the instance, without violating the security requirements.
Bastion host service is specifically designed for this purpose. No need to do over-engineering too much here.
I think it's Bastion host. In my org (large bluechip) all connections are via bastion host to provide a single point of audit and control.
Instances cannot have public IP bastian host will still need IP
there is a new question that is very similar to this one. Two subnets in the gcp cloud, A has public IP and B ONLY has private IP. how does B reach out to external resources on the public internet?
https://cloud.google.com/iap/docs/using-tcp-forwarding
As per ChatGPT: Since instances cannot have a public IP address, the best option is to use a bastion host to access the instance securely. Therefore, option D is the correct choice. Here's what you would do: Create a new instance that will serve as a bastion host. Assign it a static IP address. Configure the firewall rules for the bastion host to allow incoming SSH traffic from your office location. Connect to the bastion host via SSH from your office location. Once connected to the bastion host, use SSH to connect to the desired instance on the same network. This way, you can securely access the instance without violating the security requirements.
C is the correct answer in this case. Question quote "There is no VPN connection between Google Cloud and your office" Answer D "...from your office location..." The only way to achieve this with Bastion Host is giving it a Public IP. At least in this case.
As per the documentation, https://cloud.google.com/iap/docs/tcp-forwarding-overview/ The option is C
C is ok
For D, Create a bastion host in the network to SSH into the bastion host from your office location. From the bastion host, SSH into the desired instance. How could you SSH into the bastion host? All VMs do not have public IP
C is the best answer
C is correct: IAP offers a secure and controlled way to access internal instances without assigning them public IP addresses. It uses IAM permissions to restrict access only to authorized users and provides a temporary connection tunnel for SSH access using the gcloud command-line tool.
Answer is D. Wrong user mentioned on C Step 6: Test IAP To test that IAP is working correctly, follow the steps below: In your web browser, navigate to your domain. If you see "Unauthorized request", try again in a few minutes. When you see a Google sign-in screen, sign in using the Google Account you gave access to in the previous step. You should see a message like "Hi, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="e590968097a5809d8488958980cb868a88">[email protected]</a>. I am my-managed-instance-group-29z6." Try refreshing the page. Your browser should show the names of the 3 machines in your managed instance group. This is the load balancer distributing traffic across the VMs in the group.
you are wrong, study first IAP. It is C.
https://cloud.google.com/iap/docs/tutorial-gce Answer is D. For C to be corrected it should mention the IAP-secured Web App User role. No the one listed on the question which is wrong
According to https://cloud.google.com/solutions/connecting-securely : "Using SSH with IAP's TCP forwarding feature wraps an SSH connection inside HTTPS. IAP's TCP forwarding feature then sends it to the remote VM." So is it ssh or http connection ? Very tricky question.....