Exam Professional Cloud Architect topic 1 question 133 discussion

Answer is C. https://cloud.google.com/iap/docs/using-tcp-forwarding#tunneling_with_ssh

And D seems correct, bastion host is specifically used for this purpose, using option C user can connect through cloud only. By using a bastion host, you can connect to an VM that does not have an external IP address. This approach allows you to connect to a development environment or manage the database instance for your external application, for example, without configuring additional firewall rules. https://cloud.google.com/solutions/connecting-securely

statement says no instance have an external ip, so the bastion host its an instance hence the only possible answer is C. Just in case, bastion host its a valid method to connect to VMs without external up addresses Connecting to VMs without external IP address When VMs do not have external IP addresses (including VMs that are backends for HTTPS and SSL proxy load balancers) they can only be reached by the following: Other VMs on the network Identity-Aware Proxy's TCP forwarding feature The metadata server Google Cloud SDK Managed VPN gateway https://cloud.google.com/solutions/connecting-securely#cloud_iap

Once there is no vpn and you have to use ssh identity aware proxy;

C is the answer. D also works as a solution but it's not using GCP native features when available. Since it's a test about GCP, always go with the answer that uses GCP services.

According to https://cloud.google.com/solutions/connecting-securely : "Using SSH with IAP's TCP forwarding feature wraps an SSH connection inside HTTPS. IAP's TCP forwarding feature then sends it to the remote VM." So is it ssh or http connection ? Very tricky question.....

https://cloud.google.com/iap/docs/tutorial-gce Answer is D. For C to be corrected it should mention the IAP-secured Web App User role. No the one listed on the question which is wrong

Answer is D. Wrong user mentioned on C Step 6: Test IAP To test that IAP is working correctly, follow the steps below: In your web browser, navigate to your domain. If you see "Unauthorized request", try again in a few minutes. When you see a Google sign-in screen, sign in using the Google Account you gave access to in the previous step. You should see a message like "Hi, [email protected]. I am my-managed-instance-group-29z6." Try refreshing the page. Your browser should show the names of the 3 machines in your managed instance group. This is the load balancer distributing traffic across the VMs in the group.

C is correct: IAP offers a secure and controlled way to access internal instances without assigning them public IP addresses. It uses IAM permissions to restrict access only to authorized users and provides a temporary connection tunnel for SSH access using the gcloud command-line tool.

C is the best answer

For D, Create a bastion host in the network to SSH into the bastion host from your office location. From the bastion host, SSH into the desired instance. How could you SSH into the bastion host? All VMs do not have public IP

C is ok

As per the documentation, https://cloud.google.com/iap/docs/tcp-forwarding-overview/ The option is C

C is the correct answer in this case. Question quote "There is no VPN connection between Google Cloud and your office" Answer D "...from your office location..." The only way to achieve this with Bastion Host is giving it a Public IP. At least in this case.

I think it's Bastion host. In my org (large bluechip) all connections are via bastion host to provide a single point of audit and control.

Bastion host service is specifically designed for this purpose. No need to do over-engineering too much here.

As per ChatGPT: Since instances cannot have a public IP address, the best option is to use a bastion host to access the instance securely. Therefore, option D is the correct choice. Here's what you would do: Create a new instance that will serve as a bastion host. Assign it a static IP address. Configure the firewall rules for the bastion host to allow incoming SSH traffic from your office location. Connect to the bastion host via SSH from your office location. Once connected to the bastion host, use SSH to connect to the desired instance on the same network. This way, you can securely access the instance without violating the security requirements.