Your team is using Linux instances on Google Cloud. You need to ensure that your team logs in to these instances in the most secure and cost efficient way. What should you do?
A.
Attach a public IP to the instances and allow incoming connections from the internet on port 22 for SSH.
B.
Use the gcloud compute ssh command with the --tunnel-through-iap flag. Allow ingress traffic from the IP range 35.235.240.0/20 on port 22.
C.
Use a third party tool to provide remote access to the instances.
D.
Create a bastion host with public internet access. Create the SSH tunnel to the instance through the bastion host.
According to Gemini: In Google Cloud Platform (GCP), Identity-Aware Proxy (IAP) is a more secure alternative to bastion hosts for accessing private resources. IAP encrypts SSH connections end-to-end, so it can't inspect the contents of the session. IAP also provides access controls to reduce the risk of unauthorized access and data breaches. https://cloud.google.com/compute/docs/connect/ssh-best-practices/network-access#use-a-bastion-host
Why the others are not correct?
Bastion Host: While a bastion host can provide remote access, it introduces additional complexity and potential security risks.
Third-Party Tools: Using third-party tools may add costs and introduce dependencies.
One General Question: Most of the cases the Answer provided for each questions in Exam Topic Differs from the Answer comes as a result as part of discussion.
Just worried, since appearing ACE exam-Should we go with Answers what the group of people says (with highest percentage opted answer)?
You can use Bastion if
"You have a specific use case, like session recording, and you can't use IAP."
https://cloud.google.com/compute/docs/connect/ssh-internal-ip
Thanks for that link but I think it is C, Although totally agree that Bastion comes 2nd in that table, no way all the user would have IP within this range 35.235.240.0/20!
"allows ingress traffic from the IP range `35.235.240.0/20`. This range contains all IP addresses that IAP uses for TCP forwarding"
https://cloud.google.com/iap/docs/using-tcp-forwarding#create-firewall-rule
But the question states "You need to ensure that your team logs in to these instances in the most secure and cost efficient way"
Bastion is more secure than IAP but I'm not sure is more cost effective...
Hard to choose
Understood about IAP being a secure way to SSH but where did the "Allow ingress traffic from the IP range 35.235.240.0/20 on port 22." come from and how does that fit in? The question had no details about it and the IP range seemed to come out of nowhere.
35.235.240.0/20 is IP range of Cloud IAP for TCP forwarding, we need to allow ingress as the guideline below:
https://cloud.google.com/iap/docs/using-tcp-forwarding#preparing_your_project_for_tcp_forwarding
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Captain1212
Highly Voted 1 year, 2 months agoLaCubanita
Most Recent 1 month, 1 week agoCiupaz
2 months agoRajkumar21
9 months ago123kiki1626
6 months, 2 weeks agomufuuuu
12 months agoRahul001
11 months, 3 weeks agotlopsm
11 months, 3 weeks agoRahul001
11 months, 2 weeks ago3arle
1 year, 3 months agoAhmed_Y
1 year, 3 months agoitsimranmalik
1 year, 2 months agoqannik
1 year, 3 months agojuliorevk
1 year, 3 months agoLinhtinh603
11 months, 3 weeks agoHusni_adam
1 year, 4 months agotechsteph
1 year, 4 months ago