PROFESSIONAL-CLOUD-SECURITY-ENGINEER Question #263: Real Exam Question with Answer & Explanation

Question

An administrative application is running on a virtual machine (VM) in a managed group at port 5601 inside a Virtual Private Cloud (VPC) instance without access to the internet currently. You want to expose the web interface at port 5601 to users and enforce authentication and authorization Google credentials. What should you do?

Options

• AConfigure the bastion host with OS Login enabled and allow connection to port 5601 at VPC
• BModify the VPC routing with the default route point to the default internet gateway. Modify the
• CConfigure Secure Shell Access (SSH) bastion host in a public network, and allow only the bastion
• DConfigure an HTTP Load Balancing instance that points to the managed group with Identity-

Explanation

To expose an internal web interface on a VM with Google credentials for authentication and authorization, configure an HTTP Load Balancer pointing to the managed instance group with Identity-Aware Proxy (IAP) enabled.

Common mistakes.

• A. A bastion host with OS Login is primarily used for secure SSH access to VMs, not for exposing a web interface with Google credential-based authentication for web users.
• B. Modifying VPC routing to point to the default internet gateway would expose the VM directly to the internet, creating a significant security risk, and does not inherently enforce Google credentials for authentication at the web interface level.
• C. Configuring an SSH bastion host in a public network is for secure shell access to VMs, not for exposing a web-based administrative interface and enforcing web authentication with Google credentials.

Concept tested. Identity-Aware Proxy (IAP) with HTTP(S) Load Balancer

Reference. https://cloud.google.com/iap

No community discussion yet for this question.