Domain 4.1: Managing Compute Engine resources — GCP ACE Practice Question 33

How to approach this question

Understand the IAM and Firewall requirements for IAP TCP forwarding.

Full Answer

Ensure your user account has the 'IAP-secured Tunnel User' IAM role., Create an ingress firewall rule allowing TCP port 22 from the IAP IP range (35.235.240.0/20).

Identity-Aware Proxy (IAP) TCP forwarding allows you to SSH into VMs without public IPs. To use it, two things are required: 1) The user must have the `roles/iap.tunnelResourceAccessor` (IAP-secured Tunnel User) role. 2) The VPC firewall must allow ingress on port 22 from Google's IAP proxy IP range (`35.235.240.0/20`).

Common mistakes

Forgetting the firewall rule, or thinking a VPN is required.

You have a Compute Engine instance that does NOT have an external public IP address. You need to connect to this instance via SSH from your local workstation over the internet securely.

Which TWO actions must you take to enable this using Identity-Aware Proxy (IAP)? (Select TWO)

How to approach this question

Full Answer

Common mistakes

Practice the full GCP Associate Cloud Engineer Practice Exam 4

More questions from this exam

You have a Compute Engine instance that does NOT have an external public IP address. You need to connect to this instance via SSH from your local workstation over the internet securely. Which TWO actions must you take to enable this using Identity-Aware Proxy (IAP)? (Select TWO)

How to approach this question

Full Answer

Common mistakes

Practice the full GCP Associate Cloud Engineer Practice Exam 4

More questions from this exam

You have a Compute Engine instance that does NOT have an external public IP address. You need to connect to this instance via SSH from your local workstation over the internet securely.

Which TWO actions must you take to enable this using Identity-Aware Proxy (IAP)? (Select TWO)