ExamTopics Logo
Mail Us[email protected]
Menu
Google Discussions
exam questions

Exam Professional Cloud Developer All Questions

View all questions & answers for the Professional Cloud Developer exam
Go to Exam

Exam Professional Cloud Developer topic 1 question 101 discussion

Actual exam question from Google's Professional Cloud Developer
Question #: 101
Topic #: 1
[All Professional Cloud Developer Questions]

You are developing a web application that will be accessible over both HTTP and HTTPS and will run on Compute Engine instances. On occasion, you will need to SSH from your remote laptop into one of the Compute Engine instances to conduct maintenance on the app. How should you configure the instances while following Google-recommended best practices?

  • A. Set up a backend with Compute Engine web server instances with a private IP address behind a TCP proxy load balancer.
  • B. Configure the firewall rules to allow all ingress traffic to connect to the Compute Engine web servers, with each server having a unique external IP address.
  • C. Configure Cloud Identity-Aware Proxy API for SSH access. Then configure the Compute Engine servers with private IP addresses behind an HTTP(s) load balancer for the application web traffic.
  • D. Set up a backend with Compute Engine web server instances with a private IP address behind an HTTP(S) load balancer. Set up a bastion host with a public IP address and open firewall ports. Connect to the web instances using the bastion host.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by scaenruy at Jan. 9, 2022, 6:17 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
thewalker
12 months ago
Selected Answer: D
Option D: The Best Practice Security: Using a bastion host with a public IP address provides a secure jump point. Your web servers remain behind a firewall with private IP addresses, making them less vulnerable to direct attacks. Scalability: Bastion hosts can be easily scaled and managed, allowing you to control access to your web server instances. SSH Access: You can securely SSH into the bastion host and then tunnel to your web server instances.
upvoted 1 times
thewalker
12 months ago
Option A: TCP Proxy Load Balancer Not Ideal for Web Applications: TCP load balancers are better suited for applications that use TCP protocols, not HTTP/HTTPS. SSH Access: While you could potentially use a TCP load balancer for SSH, it's not the recommended approach. Option B: Open Firewall Rules Major Security Risk: Exposing your web servers directly to the internet with public IP addresses is a significant security vulnerability. Option C: Cloud Identity-Aware Proxy (IAP) for SSH Not Designed for SSH: IAP is primarily designed for secure access to web applications, not for SSH. While you could potentially use IAP for SSH, it's not a standard or recommended practice.
upvoted 1 times
...
...
kostol
1 year, 10 months ago
Selected Answer: D
VM can only connect through IAM with public IP so C wouldn't work bastion host is one of options instead - https://cloud.google.com/compute/docs/connect/ssh-internal-ip
upvoted 1 times
wanrltw
1 year, 7 months ago
"This document describes how to connect to a virtual machine (VM) instance through its internal IP address, using Identity-Aware Proxy (IAP) TCP forwarding." https://cloud.google.com/compute/docs/connect/ssh-using-iap
upvoted 1 times
...
...
__rajan__
1 year, 10 months ago
Selected Answer: C
C is correct
upvoted 1 times
...
closer89
2 years, 2 months ago
i go for C https://cloud.google.com/compute/docs/connect/ssh-using-iap IAP TCP forwarding enables you to establish an encrypted tunnel over which you can forward SSH connections to VMs. When you connect to a VM that uses IAP, IAP wraps the SSH connection inside HTTPS before forwarding the connection to the VM. Then, IAP checks if the you have the required IAM permissions and if you do, grants access to the VM. If you need to connect to a VM that doesn't have external IP addresses and you can't use IAP, review the other methods listed in Connection options for internal-only VMs.
upvoted 1 times
closer89
2 years, 2 months ago
D is wrong. Bastion host VMs You have a specific use case, like session recording, and you can't use IAP
upvoted 1 times
...
...
Pime13
2 years, 4 months ago
Selected Answer: C
i would choose C: https://medium.com/@larry_nguyen/use-identity-aware-proxy-iap-instead-of-bastion-host-to-connect-to-private-virtual-machines-in-9885bc7c12dd
upvoted 1 times
...
omermahgoub
2 years, 6 months ago
D. is a recommended way to configure the instances while following Google-recommended best practices. This approach provides several benefits: The web server instances are only accessible through the load balancer and not directly via their private IP addresses, which improves security. The bastion host acts as a secure jump box that allows you to SSH into the web server instances, while only allowing incoming SSH connections on a specific IP address (the bastion host's public IP). The firewall rules on the web server instances can be configured to only allow connections from the bastion host's IP, further reducing the attack surface. It is a more recommended to have a bastion host that is authorized by your organization to connect to private instances this way it can provide a better security to your instances. And also in terms of compliance, it will also follow the best practices of your organization.
upvoted 3 times
omermahgoub
2 years, 6 months ago
C is a valid approach, but it may not be the best option for all use cases. Cloud IAP allows you to control access to resources in your project by using identity and access management (IAM) roles, which is a good way to secure SSH access. However, this option does not address the issue of securing incoming web traffic, which is a separate concern. Configuring the servers with private IP addresses behind an HTTP(s) load balancer would help with securing the web traffic, but it does not provide an additional layer of security for SSH access. Additionally, it does not have the concept of secure jump host, which is a security best practice in protecting your instances from unwanted incoming connections.
upvoted 3 times
...
...
zellck
2 years, 6 months ago
Selected Answer: C
C is the answer. https://cloud.google.com/iap
upvoted 1 times
...
TNT87
2 years, 8 months ago
Selected Answer: C
https://cloud.google.com/solutions/connecting-securely#storing_host_keys_by_enabling_guest_attributes Answer C
upvoted 2 times
...
tomato123
2 years, 11 months ago
Selected Answer: C
C is correct
upvoted 2 times
...
akshaychavan7
2 years, 11 months ago
Selected Answer: C
I feel both C and D are correct for this scenario. The only reason I would go with option C is that it would be easier to set up than setting up a bastion host.
upvoted 1 times
...
nehaxlpb
3 years ago
Selected Answer: C
With TCP forwarding, IAP can protect SSH and RDP access to your VMs hosted on Google Cloud. Your VM instances don't even need public IP addresses. https://cloud.google.com/iap
upvoted 1 times
...
szl0144
3 years, 2 months ago
C is my answer, guys
upvoted 2 times
...
s7an
3 years, 2 months ago
D should be the answer (https://cloud.google.com/solutions/connecting-securely#external) But the bastion host should also be protected by IAP
upvoted 2 times
...
dishum
3 years, 3 months ago
Ans is D
upvoted 2 times
dishum
3 years, 1 month ago
https://cloud.google.com/solutions/connecting-securely#external
upvoted 1 times
...
...
scaenruy
3 years, 6 months ago
I vote C
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel