Domain 4.1: Managing Compute Engine resources — GCP ACE Practice Question 33

How to approach this question

Recall the two main requirements for IAP TCP forwarding: IAM permissions and a specific firewall rule.

Full Answer

To use IAP for SSH (TCP forwarding) to private VMs, two things are required: 1) The user must have the `roles/iap.tunnelResourceAccessor` (IAP-secured Tunnel User) role. 2) The VPC must have an ingress firewall rule allowing traffic on port 22 from `35.235.240.0/20`, which is the IP range used by Google's IAP proxy servers.

Common mistakes

Opening port 22 to `0.0.0.0/0`, which is insecure, or thinking a VPN is required.

You need to securely SSH into a Compute Engine instance that does NOT have an external public IP address. You want to use Identity-Aware Proxy (IAP) for TCP forwarding to achieve this.

Which TWO configurations are required to make this work? (Select TWO)

How to approach this question

Full Answer

Common mistakes

Practice the full GCP Associate Cloud Engineer Practice Exam 3

More questions from this exam

You need to securely SSH into a Compute Engine instance that does NOT have an external public IP address. You want to use Identity-Aware Proxy (IAP) for TCP forwarding to achieve this. Which TWO configurations are required to make this work? (Select TWO)

How to approach this question

Full Answer

Common mistakes

Practice the full GCP Associate Cloud Engineer Practice Exam 3

More questions from this exam

You need to securely SSH into a Compute Engine instance that does NOT have an external public IP address. You want to use Identity-Aware Proxy (IAP) for TCP forwarding to achieve this.

Which TWO configurations are required to make this work? (Select TWO)