PROFESSIONAL-CLOUD-DEVELOPER · Question #118
You are developing a web application that will be accessible over both HTTP and HTTPS and will run on Compute Engine instances. On occasion, you will need to SSH from your remote laptop into one of th
The correct answer is C. Configure Cloud Identity-Aware Proxy API for SSH access. Then configure the Compute Engine. Cloud Identity-Aware Proxy (IAP) for TCP forwarding allows secure SSH access to Compute Engine instances that have no public IP address. With IAP TCP tunneling (gcloud compute ssh via IAP), SSH traffic is tunneled through Google's infrastructure after the user authenticates with
Question
You are developing a web application that will be accessible over both HTTP and HTTPS and will run on Compute Engine instances. On occasion, you will need to SSH from your remote laptop into one of the Compute Engine instances to conduct maintenance on the app. How should you configure the instances while following Google-recommended best practices?
Options
- ASet up a backend with Compute Engine web server instances with a private IP address behind a
- BConfigure the firewall rules to allow all ingress traffic to connect to the Compute Engine web
- CConfigure Cloud Identity-Aware Proxy API for SSH access. Then configure the Compute Engine
- DSet up a backend with Compute Engine web server instances with a private IP address behind an
How the community answered
(38 responses)- A5% (2)
- B16% (6)
- C76% (29)
- D3% (1)
Explanation
Cloud Identity-Aware Proxy (IAP) for TCP forwarding allows secure SSH access to Compute Engine instances that have no public IP address. With IAP TCP tunneling (gcloud compute ssh via IAP), SSH traffic is tunneled through Google's infrastructure after the user authenticates with their Google identity - no need to expose port 22 to the internet or use a VPN. The instances should have private IP addresses (no direct public internet exposure for SSH), while the load balancer handles HTTP/HTTPS traffic. This follows Google's recommended secure-by-default architecture. Choice A may set up the load balancer but lacks secure SSH access. Choice B (allow all ingress) is clearly insecure. Choice D is similar to A but also doesn't address secure SSH. Only Choice C correctly handles both the web traffic (via load balancer) and SSH access (via IAP tunneling) securely.
Topics
Community Discussion
No community discussion yet for this question.