Exam Professional Cloud Developer topic 1 question 101 discussion

Option D: The Best Practice Security: Using a bastion host with a public IP address provides a secure jump point. Your web servers remain behind a firewall with private IP addresses, making them less vulnerable to direct attacks. Scalability: Bastion hosts can be easily scaled and managed, allowing you to control access to your web server instances. SSH Access: You can securely SSH into the bastion host and then tunnel to your web server instances.

VM can only connect through IAM with public IP so C wouldn't work bastion host is one of options instead - https://cloud.google.com/compute/docs/connect/ssh-internal-ip

C is correct

i go for C https://cloud.google.com/compute/docs/connect/ssh-using-iap IAP TCP forwarding enables you to establish an encrypted tunnel over which you can forward SSH connections to VMs. When you connect to a VM that uses IAP, IAP wraps the SSH connection inside HTTPS before forwarding the connection to the VM. Then, IAP checks if the you have the required IAM permissions and if you do, grants access to the VM. If you need to connect to a VM that doesn't have external IP addresses and you can't use IAP, review the other methods listed in Connection options for internal-only VMs.

i would choose C: https://medium.com/@larry_nguyen/use-identity-aware-proxy-iap-instead-of-bastion-host-to-connect-to-private-virtual-machines-in-9885bc7c12dd

D. is a recommended way to configure the instances while following Google-recommended best practices. This approach provides several benefits: The web server instances are only accessible through the load balancer and not directly via their private IP addresses, which improves security. The bastion host acts as a secure jump box that allows you to SSH into the web server instances, while only allowing incoming SSH connections on a specific IP address (the bastion host's public IP). The firewall rules on the web server instances can be configured to only allow connections from the bastion host's IP, further reducing the attack surface. It is a more recommended to have a bastion host that is authorized by your organization to connect to private instances this way it can provide a better security to your instances. And also in terms of compliance, it will also follow the best practices of your organization.

C is the answer. https://cloud.google.com/iap

https://cloud.google.com/solutions/connecting-securely#storing_host_keys_by_enabling_guest_attributes Answer C

C is correct

I feel both C and D are correct for this scenario. The only reason I would go with option C is that it would be easier to set up than setting up a bastion host.

With TCP forwarding, IAP can protect SSH and RDP access to your VMs hosted on Google Cloud. Your VM instances don't even need public IP addresses. https://cloud.google.com/iap

C is my answer, guys

D should be the answer (https://cloud.google.com/solutions/connecting-securely#external) But the bastion host should also be protected by IAP

C should be correct (https://cloud.google.com/iap/docs/using-tcp-forwarding#tunneling_ssh_connections)

Ans is D

I vote C