Question-28: A public IP address is an IPv4 address that is accessible via the internet. A public IP address is required for any resource in your tenancy that must be directly accessible from the internet in order to fulfil its purpose. There may be more needs, but it all depends on the kind of resource being used. On Compute Engine, you have successfully launched many instances. Instances are not permitted to have a public IP address since this is a mandatory security measure. There is no VPN connection between Google Cloud and your business, and you need to login through SSH into a particular computer without breaching the security standards. What action should you take?
A. Install Cloud NAT and configure it on the subnet where the instance is hosted. In order to communicate with the instance, you must first establish an SSH connection to the Cloud NAT IP address.
B. Include all instances inside a group that is not being controlled. TCP Proxy Load Balancing should be configured with the instance group serving as the backend. Connect to the instance by using the IP address of the TCP proxy.
C. Make sure that you have the role of IAP-secured Tunnel User and configure Identity-Aware Proxy (IAP) for the instance. When logging into the instance through ssh, use the gcloud command line tool.
D. Establish a bastion host inside the network and use secure shell (SSH) to log into the bastion host from your office. Connect to the instance you want to use using SSH from the bastion host.
Correct Answer  
Get All 340 Questions and Answer for Google Professional Cloud Architect
: 3 Explanation: Through the use of IAP TCP forwarding, it is possible to set up an encrypted tunnel to which traffic such as SSH, RDP, and other types may be sent to VM instances. IAP TCP forwarding also gives you fine-grained control over which users are permitted to set up tunnels and which VM instances users are permitted to connect to. This gives you more security and flexibility. There is no network connection between the cloud and the workplace. Not allowed to utilize the bastion. What C does not mention or define is whether or not you are utilizing cloud shell on gcloud or whether or not you downloaded the sdk on your local machine. Stupid inquiry that doesn't provide any explanation. I'm going to assume that stupid people who develop tests will think that gcloud is always utilised in cloud shell. Now that you are in the cloud shell, you have access to the internal network since the shell itself is located inside the VPC and has full permissions. There is no virtual private network (VPN) connection between your workplace and Google Cloud. In the event that your office and the cloud did not share a network connection, you would be unable to utilize any of the Google services. However, if the ports on the bastion host are open, it is always possible to SSH into it from the internet. IAP TCP forwarding enables you to set up an encrypted tunnel across which you may send SSH, RDP, and other communications to VM instances, according to the product description. Not only the instance that we are attempting to SSH into, but all instances get the message No instances may have public IP. Therefore, the correct answer cannot be D since Bastion Host has a public IP. Because we need to connect precisely to an instance, we can only choose option C from the available choices. When VMs do not have external IP addresses, the only method for other VMs on the network, the TCP forwarding function of Identity-Aware Proxy, or managed VPN gateways to communicate with them is via the use of managed VPN gateways. You may configure virtual machines (VMs) in your network to function as bastion hosts, which are also known as trustworthy relays for incoming connections. In addition, you have the ability to set up a Cloud NAT for network egress, as well as an interactive serial terminal, which will allow you to manage or debug VMs even if they do not have external IP addresses. Since Bastion Hosts are assigned external IP addresses, the correct choice is option C. 
											