Domain 4.1: Managing Compute Engine resources — GCP ACE Practice Question 31

How to approach this question

Identify the GCP service that replaces traditional bastion hosts for secure remote access.

Full Answer

C.Use Identity-Aware Proxy (IAP) for TCP forwarding.✓ Correct

Identity-Aware Proxy (IAP) TCP forwarding enables you to connect to VM instances that do not have external IP addresses. It works by wrapping the SSH connection inside an HTTPS request to Google's infrastructure, which verifies your IAM permissions before forwarding the traffic to the private VM. This eliminates the need for bastion hosts or public IPs.

Common mistakes

Choosing a bastion host. While valid, IAP is the 'most secure and Google-recommended' modern approach because it requires zero infrastructure management.

You need to SSH into a Compute Engine instance that does not have an external public IP address. Your local workstation is not connected to the VPC via VPN or Interconnect.

What is the most secure and Google-recommended way to connect to this instance?

How to approach this question

Full Answer

Common mistakes

Practice the full GCP Associate Cloud Engineer Practice Exam 7

More questions from this exam

You need to SSH into a Compute Engine instance that does not have an external public IP address. Your local workstation is not connected to the VPC via VPN or Interconnect. What is the most secure and Google-recommended way to connect to this instance?

How to approach this question

Full Answer

Common mistakes

Practice the full GCP Associate Cloud Engineer Practice Exam 7

More questions from this exam

You need to SSH into a Compute Engine instance that does not have an external public IP address. Your local workstation is not connected to the VPC via VPN or Interconnect.

What is the most secure and Google-recommended way to connect to this instance?