Your security team must ensure that only the Compute Engine bastion host, which runs under the service account [email protected], can initiate SSH sessions to virtual machines that are part of the front-end tier in your custom VPC. All front-end VMs already have the network tag web. Which Cloud Next Generation Firewall rule definition satisfies the requirement while following least-privilege best practices?
Ingress rule - action allow; source: service account [email protected]; targets: network tag web; protocol/port: tcp:22
To restrict SSH so that only the bastion host can reach the front-end VMs you need an ingress rule that allows traffic coming from the bastion host and to the web-tagged instances. A service account can be used as the source in an ingress rule, while network tags identify the target instances. The action must be allow, and the protocol/port must be limited to tcp:22 for SSH. An egress rule would control traffic leaving the VMs, not traffic entering them. Using 0.0.0.0/0 or an external IP as the source is overly permissive, and a deny rule would block, not permit, the required access.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a service account in GCP?
Open an interactive chat with Bash
What is the purpose of network tags in GCP?
Open an interactive chat with Bash
What is an ingress firewall rule in GCP?
Open an interactive chat with Bash
What is a bastion host in GCP?
Open an interactive chat with Bash
What is the role of a service account in GCP firewall rules?
Open an interactive chat with Bash
What are network tags in GCP and how are they used in firewall rules?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Planning and implementing a cloud solution
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .