GCP Associate Cloud Engineer Practice Question

Your team wants to let contractors open an SSH session to a Linux VM directly from the Google Cloud console by clicking the "SSH" button in the VM instances list. The VM has an external IP and no existing ingress rules. The contractors must not install the gcloud CLI or manage SSH keys locally. Which single configuration change is required so the browser-based SSH connection succeeds while keeping access as restrictive as possible?

Attach a Cloud NAT gateway to the subnet so the VM can establish outbound connections for the SSH session.
Add an ingress firewall rule that allows TCP 22 from source range 0.0.0.0/0 to the VM's network tags.
Create an ingress firewall rule that allows TCP 22 from source range 35.235.240.0/20 in the VPC network where the VM resides.
Enable OS Login at the project level so Compute Engine injects temporary SSH keys for the contractors.

Report Issue

Answer Description

When you click the SSH button in the console, the browser connects through Google's SSH relay service, which then initiates an SSH session to the VM on TCP port 22. The traffic arrives at the VM with a source IP in the range 35.235.240.0/20. If no firewall rule allows this range, the connection times out. Creating an ingress rule that permits TCP 22 only from 35.235.240.0/20 satisfies the relay service while limiting exposure. Allowing 0.0.0.0/0 is overly broad, enabling OS Login does not address the blocked port, and Cloud NAT is irrelevant because the VM already has an external IP and the issue is inbound, not outbound.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.