You have a Compute Engine instance that does NOT have an external public IP address. You need to connect to this instance via SSH from your local workstation over the internet securely.

Which TWO actions must you take to enable this using Identity-Aware Proxy (IAP)? (Select TWO)

Answer options:

Assign a temporary external IP address to the instance.

Ensure your user account has the 'IAP-secured Tunnel User' IAM role.

Create an ingress firewall rule allowing TCP port 22 from the IAP IP range (35.235.240.0/20).

Configure Cloud VPN between your workstation and the VPC.

Install the IAP agent on the guest OS of the VM.

How to approach this question

Understand the IAM and Firewall requirements for IAP TCP forwarding.

Full Answer

Identity-Aware Proxy (IAP) TCP forwarding allows you to SSH into VMs without public IPs. To use it, two things are required: 1) The user must have the `roles/iap.tunnelResourceAccessor` (IAP-secured Tunnel User) role. 2) The VPC firewall must allow ingress on port 22 from Google's IAP proxy IP range (`35.235.240.0/20`).

Common mistakes

Forgetting the firewall rule, or thinking a VPN is required.

Question 32 All questions Question 34

Practice the full GCP Associate Cloud Engineer Practice Exam 4

50 questions · hints · full answers · grading

More questions from this exam

Q01You have recently joined a new team and need to set up a new Google Cloud project for a developme...Easy Q02Your company uses Google Workspace. You need to grant a new developer, Alice, the ability to view...Medium Q03You have created a new GCP project and want to deploy a Compute Engine instance. However, when yo...Medium Q04Your startup has a strict monthly cloud budget of $500. You want to be notified via email when yo...Easy Q05Your finance team wants to analyze Google Cloud costs using standard SQL and build custom dashboa...Medium

View all 50 questions →