PROFESSIONAL-CLOUD-DEVELOPER · Question #116
You are developing an internal application that will allow employees to organize community events within your company. You deployed your application on a single Compute Engine instance. Your company u
The correct answer is B. Add an HTTP(S) load balancer in front of the instance, and set up Identity-Aware Proxy (IAP).. Identity-Aware Proxy (IAP) integrates natively with Google Workspace and enforces authentication and authorization at the Google Cloud infrastructure layer before a request reaches your application. Placing an HTTP(S) load balancer in front of the Compute Engine instance and enab
Question
You are developing an internal application that will allow employees to organize community events within your company. You deployed your application on a single Compute Engine instance. Your company uses Google Workspace (formerly G Suite), and you need to ensure that the company employees can authenticate to the application from anywhere. What should you do?
Options
- AAdd a public IP address to your instance, and restrict access to the instance using firewall rules.
- BAdd an HTTP(S) load balancer in front of the instance, and set up Identity-Aware Proxy (IAP).
- CSet up a VPN tunnel between your company network and your instance's VPC location on Google
- DAdd a public IP address to your instance, and allow traffic from the internet. Generate a random
How the community answered
(58 responses)- A5% (3)
- B79% (46)
- C3% (2)
- D12% (7)
Explanation
Identity-Aware Proxy (IAP) integrates natively with Google Workspace and enforces authentication and authorization at the Google Cloud infrastructure layer before a request reaches your application. Placing an HTTP(S) load balancer in front of the Compute Engine instance and enabling IAP ensures that only authenticated Google Workspace users can reach the app - from any network, anywhere. This follows Google's recommended zero-trust access pattern. Choice A (public IP with firewall rules) restricts by IP but doesn't authenticate users. Choice C (VPN) requires employees to connect to the company VPN first, limiting remote usability and requiring VPN infrastructure. Choice D (public IP open to the internet with a random URL) is security through obscurity - not a real security control and completely against best practices.
Topics
Community Discussion
No community discussion yet for this question.