ExpertMinds LogoExpertMinds
Medium1 markMultiple Choice
Domain 4.1: Managing Compute Engine resourcesDomain 4.1Compute EngineIAPSecurity

GCP ACE · Question 33 · Domain 4.1: Managing Compute Engine resources

You need to securely SSH into a Compute Engine instance that does NOT have an external public IP address. You want to use Identity-Aware Proxy (IAP) for TCP forwarding to achieve this.

Which TWO configurations are required to make this work? (Select TWO)

Answer options:

A.

Assign an ephemeral public IP address to the instance.

B.

Grant the user the 'IAP-secured Tunnel User' IAM role.

C.

Create a firewall rule allowing ingress TCP traffic on port 22 from 0.0.0.0/0.

D.

Create a firewall rule allowing ingress TCP traffic on port 22 from 35.235.240.0/20.

E.

Configure a Cloud VPN connection to your local network.

How to approach this question

Recall the two main requirements for IAP TCP forwarding: IAM permissions and a specific firewall rule.

Full Answer

Grant the user the 'IAP-secured Tunnel User' IAM role., Create a firewall rule allowing ingress TCP traffic on port 22 from 35.235.240.0/20.
To use IAP for SSH (TCP forwarding) to private VMs, two things are required: 1) The user must have the `roles/iap.tunnelResourceAccessor` (IAP-secured Tunnel User) role. 2) The VPC must have an ingress firewall rule allowing traffic on port 22 from `35.235.240.0/20`, which is the IP range used by Google's IAP proxy servers.

Common mistakes

Opening port 22 to `0.0.0.0/0`, which is insecure, or thinking a VPN is required.
32All questions34

Practice the full GCP Associate Cloud Engineer Practice Exam 3

50 questions · hints · full answers · grading

Sign up freeTake the exam

More questions from this exam

Q01You are starting a new project in Google Cloud and need to create a new GCP project and enable th...EasyQ02A new team member has joined your operations team. They need to be able to view all Compute Engin...MediumQ03Your company is migrating to Google Cloud. You currently manage all employee identities in an on-...MediumQ04Your development team is experimenting with new GCP services in a sandbox project. The finance te...MediumQ05Your company wants to perform complex, custom SQL analysis on their Google Cloud billing data to ...Easy
View all 50 questions →