Exam Professional Cloud Architect topic 1 question 133 discussion

Answer is C. https://cloud.google.com/iap/docs/using-tcp-forwarding#tunneling_with_ssh

And D seems correct, bastion host is specifically used for this purpose, using option C user can connect through cloud only. By using a bastion host, you can connect to an VM that does not have an external IP address. This approach allows you to connect to a development environment or manage the database instance for your external application, for example, without configuring additional firewall rules. https://cloud.google.com/solutions/connecting-securely

C is the answer. D also works as a solution but it's not using GCP native features when available. Since it's a test about GCP, always go with the answer that uses GCP services.

According to https://cloud.google.com/solutions/connecting-securely : "Using SSH with IAP's TCP forwarding feature wraps an SSH connection inside HTTPS. IAP's TCP forwarding feature then sends it to the remote VM." So is it ssh or http connection ? Very tricky question.....

https://cloud.google.com/iap/docs/tutorial-gce Answer is D. For C to be corrected it should mention the IAP-secured Web App User role. No the one listed on the question which is wrong

Answer is D. Wrong user mentioned on C Step 6: Test IAP To test that IAP is working correctly, follow the steps below: In your web browser, navigate to your domain. If you see "Unauthorized request", try again in a few minutes. When you see a Google sign-in screen, sign in using the Google Account you gave access to in the previous step. You should see a message like "Hi, [email protected]. I am my-managed-instance-group-29z6." Try refreshing the page. Your browser should show the names of the 3 machines in your managed instance group. This is the load balancer distributing traffic across the VMs in the group.

C is correct: IAP offers a secure and controlled way to access internal instances without assigning them public IP addresses. It uses IAM permissions to restrict access only to authorized users and provides a temporary connection tunnel for SSH access using the gcloud command-line tool.

C is the best answer

For D, Create a bastion host in the network to SSH into the bastion host from your office location. From the bastion host, SSH into the desired instance. How could you SSH into the bastion host? All VMs do not have public IP

C is ok

As per the documentation, https://cloud.google.com/iap/docs/tcp-forwarding-overview/ The option is C

C is the correct answer in this case. Question quote "There is no VPN connection between Google Cloud and your office" Answer D "...from your office location..." The only way to achieve this with Bastion Host is giving it a Public IP. At least in this case.

I think it's Bastion host. In my org (large bluechip) all connections are via bastion host to provide a single point of audit and control.

Bastion host service is specifically designed for this purpose. No need to do over-engineering too much here.

As per ChatGPT: Since instances cannot have a public IP address, the best option is to use a bastion host to access the instance securely. Therefore, option D is the correct choice. Here's what you would do: Create a new instance that will serve as a bastion host. Assign it a static IP address. Configure the firewall rules for the bastion host to allow incoming SSH traffic from your office location. Connect to the bastion host via SSH from your office location. Once connected to the bastion host, use SSH to connect to the desired instance on the same network. This way, you can securely access the instance without violating the security requirements.

https://cloud.google.com/iap/docs/using-tcp-forwarding

As per chatGPT answer is C. Identity-Aware Proxy (IAP) is a Google Cloud service that provides secure access to VM instances without exposing them to the internet. It allows you to establish a secure SSH connection to a VM instance via the Google Cloud Console or the gcloud command-line tool, using OAuth 2.0-based authentication and authorization. With IAP, you can set up secure, encrypted tunnels to your VM instances, without the need for a VPN or an external bastion host. By configuring IAP for the instance and ensuring that you have the IAP-secured Tunnel User role, you can securely access the instance using the gcloud command-line tool to SSH into the instance, without violating the security requirements.