A development team created a Compute Engine VM that has no external IP address. They need to allow on-call engineers to open an SSH session from their laptops using the command gcloud compute ssh --tunnel-through-iap vm-1 --zone=us-central1-a. The command currently times out. Which change will allow the engineers to connect while keeping the VM private?
Enable interactive serial console access for the VM in its metadata settings.
Create an ingress firewall rule that allows TCP port 22 from source range 35.235.240.0/20 to the VM's network tag.
Reserve a static external IP address and assign it to the VM.
Configure a Cloud NAT gateway for the subnet that contains the VM.
Identity-Aware Proxy (IAP) TCP tunneling uses Google-controlled proxy addresses in the range 35.235.240.0/20. Even though IAP establishes the SSH connection on behalf of the user, the proxy still needs to reach the VM's SSH port (TCP 22). Because the instance has no external IP, the only path is through the VPC network, so you must permit ingress from the IAP proxy range. Creating a firewall rule that targets the VM (for example, via a network tag) and allows TCP 22 from 35.235.240.0/20 satisfies this requirement without exposing the VM to the public internet. Assigning an external IP or adding Cloud NAT would defeat the goal of keeping the VM private, and enabling the serial console does not affect IAP-based SSH access.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Identity-Aware Proxy (IAP) TCP tunneling?
Open an interactive chat with Bash
What is the purpose of the 35.235.240.0/20 IP range in this scenario?
Open an interactive chat with Bash
How does a network tag help in firewall rules for VMs?
Open an interactive chat with Bash
What is Identity-Aware Proxy (IAP) in Google Cloud?
Open an interactive chat with Bash
Why does the IAP proxy need a firewall rule to access private VMs?
Open an interactive chat with Bash
What is a network tag, and how is it used in firewall rules?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Ensuring successful operation of a cloud solution
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .