Your production Compute Engine VM instances run without external IP addresses for security reasons. A team of site reliability engineers must occasionally SSH into these VMs from their laptops. You decide to enable Identity-Aware Proxy (IAP) TCP tunneling. Which additional change is required so the engineers can establish the SSH session through IAP?
Create an ingress firewall rule that permits TCP port 22 from the 35.235.240.0/20 source range to the target instances.
Add the VMs to a TCP load balancer backend service listening on port 22 and point IAP to the load balancer's IP.
Enable Cloud NAT on the subnet so the VMs can reach the internet during the SSH session.
Reserve a regional external static IP address and attach it to each VM before enabling IAP.
IAP opens the SSH tunnel from Google-controlled proxy addresses in the 35.235.240.0/20 range. Because the VMs no longer have external addresses, they cannot be reached unless an ingress firewall rule explicitly permits traffic from those proxy IPs on TCP port 22. After the rule is in place and the users have the proper IAM role, they can run "gcloud compute ssh --tunnel-through-iap" without assigning public IPs, configuring Cloud NAT, or front-ending the VMs with a load balancer.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Identity-Aware Proxy (IAP)?
Open an interactive chat with Bash
Why is a specific ingress firewall rule needed for IAP to work?
Open an interactive chat with Bash
What IAM roles are required for engineers to SSH into VMs using IAP?
Open an interactive chat with Bash
What is Identity-Aware Proxy (IAP) in GCP?
Open an interactive chat with Bash
Why do you need a specific ingress firewall rule for IAP?
Open an interactive chat with Bash
How do IAM roles affect IAP access for SSH?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Ensuring successful operation of a cloud solution
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .