A production VM runs in a private subnet and has no external IP address. Engineers must occasionally SSH into the VM from their laptops on the public internet. You must design the access method so that:
No public IP is added to the VM.
Inbound firewall rules remain restricted to internal traffic.
Only specific engineers can initiate SSH sessions. Which approach meets these requirements with the least additional configuration?
Grant each engineer the roles/iap.tunnelResourceAccessor role on the project and have them run: gcloud compute ssh my-vm --zone us-central1-a --tunnel-through-iap
Enable interactive serial console on the VM and have engineers connect with: gcloud compute connect-to-serial-port my-vm --zone us-central1-a
Create a Cloud NAT gateway for the subnet and instruct engineers to run: gcloud compute ssh my-vm --zone us-central1-a --nat
Assign the VM a temporary external IP address, open TCP 22 in a firewall rule from the engineers' office IP range, and have them run: gcloud compute ssh my-vm --zone us-central1-a
Identity-Aware Proxy (IAP) TCP tunneling lets users open an SSH session to a VM without an external IP. The user needs the roles/iap.tunnelResourceAccessor role (for the IAP tunnel) and an OS login or SSH key-based role to the instance. After permission is granted, running gcloud compute ssh INSTANCE --zone ZONE --tunnel-through-iap establishes the SSH connection over IAP, keeping firewall rules and IP allocation unchanged. Adding a public IP and firewall rule violates the requirements. Cloud NAT enables outbound, not inbound, connections, and serial-port access is meant for emergency troubleshooting, not routine SSH.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Identity-Aware Proxy (IAP) in GCP?
Open an interactive chat with Bash
How does the roles/iap.tunnelResourceAccessor role help with SSH access?
Open an interactive chat with Bash
Why is Cloud NAT unsuitable for inbound SSH connections?
Open an interactive chat with Bash
What is Identity-Aware Proxy (IAP) and how does it allow SSH access?
Open an interactive chat with Bash
What does the roles/iap.tunnelResourceAccessor role enable?
Open an interactive chat with Bash
Why is Cloud NAT unsuitable for this access scenario?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Ensuring successful operation of a cloud solution
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .