GCP Professional Cloud Architect Practice Question
Your company runs an internal dashboard on GKE that is published through an external HTTP(S) load balancer with a public IP address. The security policy states:
Only corporate employees may reach the dashboard from any network.
Access must be denied from laptops that are not compliant with corporate device policies.
No VPN clients or per-device certificates may be required.
As the Cloud Architect, which solution best satisfies these requirements while keeping operational overhead low?
Enable Identity-Aware Proxy on the HTTP(S) load balancer and create a context-aware access policy that permits only members of the corporate Workspace group on managed devices verified by Chrome Enterprise Premium.
Configure IAP TCP forwarding to a bastion host, force users to establish an SSH tunnel to the dashboard, and permit access only to the corporate group.
Protect the load balancer with Cloud Armor by allow-listing corporate office IP ranges and enforce basic authentication on the application.
Require users to connect through Cloud VPN to a private VPC that exposes the dashboard via an internal load balancer, and restrict firewall rules to the VPN subnet.
Identity-Aware Proxy (IAP) can front an external HTTP(S) load balancer and evaluate every request against an Access Context Manager policy. By allowing only identities in a corporate Google Workspace group and requiring devices that report compliance through Endpoint Verification (a Chrome Enterprise Premium capability), the dashboard is accessible solely to authorized, policy-compliant users. No VPN software or certificates are needed.
Cloud VPN violates the explicit "no VPN" requirement. Relying on Cloud Armor IP allowlists enforces network location but provides neither identity nor device checks and is hard to maintain for roaming users. IAP TCP forwarding through an SSH bastion could enforce the same context-aware policies, but it forces users to establish and maintain SSH tunnels and does not meet the stated requirement in the option text for device compliance, resulting in higher user friction and operational overhead.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Identity-Aware Proxy (IAP) in GCP?
Open an interactive chat with Bash
How does Endpoint Verification enable device compliance in Chrome Enterprise Premium?
Open an interactive chat with Bash
What is Access Context Manager, and how does it interact with IAP?
Open an interactive chat with Bash
What is Identity-Aware Proxy (IAP)?
Open an interactive chat with Bash
What is Chrome Enterprise Premium's Endpoint Verification?
Open an interactive chat with Bash
How does Access Context Manager improve security policies?
Open an interactive chat with Bash
GCP Professional Cloud Architect
Designing for security and compliance
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .