You have a Compute Engine instance that does NOT have an external public IP address. You need to SSH into this instance securely from your local laptop over the internet.

Which TWO actions must you take to enable this using Identity-Aware Proxy (IAP)? (Select TWO)

Answer options:

Create a firewall rule allowing ingress from 0.0.0.0/0 on port 22.

Create a firewall rule allowing ingress from 35.235.240.0/20 on port 22.

Assign a temporary external IP address to the instance.

Grant your user account the 'IAP-secured Tunnel User' IAM role.

Configure a Cloud VPN connection.

How to approach this question

Know the network and IAM requirements for setting up IAP TCP forwarding.

Full Answer

Create a firewall rule allowing ingress from 35.235.240.0/20 on port 22., Grant your user account the 'IAP-secured Tunnel User' IAM role.

To use IAP for SSH (TCP forwarding), you need two things: 1) A firewall rule allowing ingress on port 22 from Google's IAP IP range (35.235.240.0/20). 2) The IAM role `roles/iap.tunnelResourceAccessor` (IAP-secured Tunnel User) granted to the user attempting to connect.

Common mistakes

Opening port 22 to 0.0.0.0/0, which defeats the security benefits of IAP.

Question 31 All questions Question 33

Practice the full GCP Associate Cloud Engineer Practice Exam 2

50 questions · hints · full answers · grading

More questions from this exam

Q01Your company is migrating to Google Cloud and needs to establish a resource hierarchy. You have t...Easy Q02You are managing access to a GCP project. You need to grant 15 developers the ability to view Com...Medium Q03You have created a new GCP project using the Cloud Console. You want to deploy a Cloud Function u...Easy Q04Your startup has a strict monthly cloud budget of $500. You want to be notified immediately if yo...Easy Q05Your finance team wants to perform complex SQL analysis on your GCP billing data to understand co...Medium

View all 50 questions →