GCP Professional Cloud Architect Practice Question
Your company runs an internal administrative dashboard on Compute Engine VMs in a VPC. Today the VMs are behind an internal HTTP(S) load balancer and are reachable only over the corporate VPN. Management wants to retire the VPN and let employees reach the dashboard over the public Internet, but traffic must still be permitted only for authenticated users in the corp.example.com Google Workspace domain. You must minimize application changes and avoid distributing client certificates or static IP allow-lists. Which architecture should you implement?
Keep the internal load balancer and configure a new Cloud VPN gateway that employees dial-up on demand; use VPC firewall rules and Google Groups to restrict access.
Migrate the VMs behind an external HTTP(S) load balancer, enable Cloud IAP, grant the corporate Google Group the roles/iap.httpsResourceAccessor role, and add a VPC firewall rule allowing ingress only from Google Front End IP ranges.
Expose the dashboard through an external HTTP(S) load balancer with Cloud Armor enforcing a policy that accepts requests only when a signed JWT from Identity Platform is present in the headers.
Require each employee to establish an IAP-TCP tunnel to the individual VM instances and access the dashboard via forwarded localhost ports.
Identity-Aware Proxy (IAP) adds an authentication and authorization layer in front of external HTTP(S) load balancers, allowing access decisions to be based on Google identity instead of network location. Moving the service behind an external HTTP(S) load balancer, enabling IAP, and granting the roles/iap.httpsResourceAccessor role to the corporate Google Group meets the requirement with no code changes. A firewall rule that permits ingress only from Google Front End IP ranges (35.191.0.0/16 and 130.211.0.0/22) protects the backend VMs from direct Internet traffic. The other options either keep the VPN, require per-user tunnels, or rely on header-based schemes that the backend must validate, all of which violate the stated constraints or add unnecessary operational overhead.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Identity-Aware Proxy (IAP) in GCP?
Open an interactive chat with Bash
Why is an external HTTP(S) load balancer used instead of an internal one in this architecture?
Open an interactive chat with Bash
What is the significance of allowing ingress only from Google Front End IP ranges?
Open an interactive chat with Bash
What is Cloud IAP, and how does it work?
Open an interactive chat with Bash
Why are Google Front End IP ranges needed in the firewall rule?
Open an interactive chat with Bash
What role does the external HTTP(S) load balancer play in this architecture?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Designing for security and compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .