You need to SSH into a Compute Engine instance that does not have an external public IP address. Your local workstation is not connected to the VPC via VPN or Interconnect.

What is the most secure and Google-recommended way to connect to this instance?

Answer options:

Assign an ephemeral external IP address to the instance temporarily.

Deploy a bastion host with a public IP address and SSH through it.

Use Identity-Aware Proxy (IAP) for TCP forwarding.

Configure Cloud NAT to allow inbound SSH connections.

How to approach this question

Identify the GCP service that replaces traditional bastion hosts for secure remote access.

Full Answer

C.Use Identity-Aware Proxy (IAP) for TCP forwarding.✓ Correct

Use Identity-Aware Proxy (IAP) for TCP forwarding.

Identity-Aware Proxy (IAP) TCP forwarding enables you to connect to VM instances that do not have external IP addresses. It works by wrapping the SSH connection inside an HTTPS request to Google's infrastructure, which verifies your IAM permissions before forwarding the traffic to the private VM. This eliminates the need for bastion hosts or public IPs.

Common mistakes

Choosing a bastion host. While valid, IAP is the 'most secure and Google-recommended' modern approach because it requires zero infrastructure management.

Question 30 All questions Question 32

Practice the full GCP Associate Cloud Engineer Practice Exam 7

50 questions · hints · full answers · grading

More questions from this exam

Q01You are starting a new initiative and need to create a new Google Cloud project using the Cloud S...Easy Q02Your company is migrating to Google Cloud and wants to manage user identities centrally. They cur...Medium Q03You have just created a new Google Cloud project and want to deploy a containerized application u...Medium Q04Your finance team wants to perform complex SQL queries on your Google Cloud billing data to analy...Medium Q05You are managing a development project in Google Cloud. You want to ensure that you are notified ...Easy

View all 50 questions →