Your VPC contains two managed instance groups in the same region. Instances in the bastion group are created with the service account bastion-sa, and instances in the application group are created with the service account app-sa. You must allow administrators to open SSH sessions (TCP port 22) from the bastion hosts to the application hosts while blocking SSH traffic that originates from any other source. You want to meet the requirement without relying on fixed IP ranges or network tags. What should you do?
Create a single ingress firewall rule that applies to instances with the app-sa service account, sets the source service account to bastion-sa, and allows tcp:22.
Create an egress firewall rule that applies to instances with the bastion-sa service account, sets the destination service account to app-sa, and allows tcp:22.
Add a network tag "bastion" to the bastion instances and an "app" tag to the application instances. Create an ingress rule that allows tcp:22 from source tag "bastion" to target tag "app".
Enable OS Login and grant the bastion-sa service account the Compute OS Admin Login IAM role on the project; no firewall rule changes are required.
VPC firewall rules let you identify traffic sources and targets by the service accounts that the VM instances run as. Creating a single ingress rule that:
Targets the application servers (for example, by specifying the target service account app-sa)
Uses the source service account bastion-sa as the match condition, and
Allows TCP port 22 permits SSH only when the packets originate from VMs using bastion-sa. Any other VM-regardless of its IP address or tags-does not match the rule and is therefore denied by the implied deny rule. Using an egress rule, network tags, or relying solely on IAM (OS Login) would not satisfy the requirement to restrict the network path itself.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a VPC and why is it important in GCP?
Open an interactive chat with Bash
How does a service account work in GCP?
Open an interactive chat with Bash
What are ingress and egress firewall rules in GCP?
Open an interactive chat with Bash
What is the purpose of a VPC firewall rule in GCP?
Open an interactive chat with Bash
How do service accounts function as match conditions in firewall rules?
Open an interactive chat with Bash
What is the difference between ingress and egress firewall rules?
Open an interactive chat with Bash
GCP Associate Cloud Engineer
Planning and implementing a cloud solution
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .