New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Google Associate Cloud Engineer Exam - Topic 4 Question 95 Discussion

Actual exam question for Google's Associate Cloud Engineer exam
Question #: 95
Topic #: 4
[All Associate Cloud Engineer Questions]

You have deployed an application on a Compute Engine instance. An external consultant needs to access the Linux-based instance. The consultant is connected to your corporate network through a VPN connection, but the consultant has no Google account. What should you do?

Show Suggested Answer Hide Answer
Suggested Answer: C

The best option is to instruct the external consultant to generate an SSH key pair, and request the public key from the consultant. Then, add the public key to the instance yourself, and have the consultant access the instance through SSH with their private key. This way, you can grant the consultant access to the instance without requiring a Google account or exposing the instance's public IP address.This option also follows the best practice of using user-managed SSH keys instead of service account keys for SSH access1.

Option A is not feasible because the external consultant does not have a Google account, and therefore cannot use Identity-Aware Proxy (IAP) to access the instance.IAP requires the user to authenticate with a Google account and have the appropriate IAM permissions to access the instance2. Option B is not secure because it exposes the instance's public IP address, which can increase the risk of unauthorized access or attacks. Option D is not correct because it reverses the roles of the public and private keys. The public key should be added to the instance, and the private key should be kept by the consultant.Sharing the private key with anyone else can compromise the security of the SSH connection3.


1: https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys

2: https://cloud.google.com/iap/docs/using-tcp-forwarding

3: https://cloud.google.com/compute/docs/instances/connecting-advanced#sshbetweeninstances

by Floyd at Sep 17, 2024, 12:11 PM

Limited Time Offer

25%

Off

Get Premium Associate Cloud Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
An
3 months ago
I think C is the best choice, but I'm surprised it's not more common knowledge!
upvoted 0 times
...
Michell
3 months ago
Definitely not D, that’s a huge security no-no.
upvoted 0 times
...
Tamesha
3 months ago
Wait, why would you ever ask for a private key? That's risky!
upvoted 0 times
...
Olen
4 months ago
I disagree, using the public IP (Option B) is simpler.
upvoted 0 times
...
Alline
4 months ago
Option C is the way to go! SSH keys are secure.
upvoted 0 times
...
Earleen
4 months ago
Option D seems wrong to me; I remember we shouldn't share private keys. It has to be option C, right? But I hope I’m not mixing things up!
upvoted 0 times
...
Fannie
4 months ago
I feel like option B could work since the consultant is on a VPN, but I’m not sure if using the public IP is the best practice without a Google account.
upvoted 0 times
...
Rolland
4 months ago
I remember discussing Identity-Aware Proxy in relation to secure access, so option A might be a good choice too, but I’m not confident about the gcloud command specifics.
upvoted 0 times
...
Penney
5 months ago
I think option C sounds familiar, like something we practiced in class about SSH key management. But I'm not entirely sure if that's the only way to do it.
upvoted 0 times
...
Nikita
5 months ago
I'm a bit confused by the options here. Using the public IP address doesn't seem secure, and I'm not familiar with Identity-Aware Proxy. I think I'll go with option C to be on the safe side.
upvoted 0 times
...
Dominque
5 months ago
Option C sounds like the way to go. It's a common approach for granting external access to a Linux instance without requiring a Google account. I'll make sure to carefully follow the steps to add the consultant's public key.
upvoted 0 times
...
Roxanne
5 months ago
Hmm, I'm a bit unsure about this one. I'm not sure if using the public IP address is the best approach since the consultant doesn't have a Google account. Maybe I should look into the Identity-Aware Proxy option.
upvoted 0 times
...
Whitley
5 months ago
This seems straightforward. I'd go with option C - having the consultant generate an SSH key pair and providing the public key to access the instance.
upvoted 0 times
...
Clorinda
5 months ago
I definitely know a server template isn't required, but I can't remember if we need both the CSV upload and the device template specifically.
upvoted 0 times
...
Marleen
1 year ago
Haha, imagine the consultant trying to use the gcloud tool without a Google account? That's just asking for trouble. C is the clear winner here.
upvoted 0 times
Nakisha
1 year ago
Using SSH key pair with option C is the best choice for the consultant to access the Linux-based instance securely.
upvoted 0 times
...
Huey
1 year ago
Agreed, C is the most secure option for adding the consultant's SSH key to the instance.
upvoted 0 times
...
Bettina
1 year ago
Yeah, definitely don't want the consultant to struggle with gcloud without a Google account. C is the way to go.
upvoted 0 times
...
...
Tamekia
1 year ago
Hmm, I'm not sure about giving the consultant direct access to the instance's public IP. Option B feels a bit risky to me. C is the safer bet.
upvoted 0 times
Macy
1 year ago
It's important to prioritize security when granting access to external consultants.
upvoted 0 times
...
Arlette
1 year ago
Using SSH key pairs with option C is definitely a safer approach.
upvoted 0 times
...
Felicidad
1 year ago
I agree, giving direct access through the public IP does seem risky.
upvoted 0 times
...
...
Alpha
1 year ago
I agree with Pearline. Option C is the best choice here. The consultant doesn't need a Google account, and the SSH key pair is a simple solution.
upvoted 0 times
Eugene
1 year ago
Definitely. It's a straightforward solution for granting access to the Linux-based instance.
upvoted 0 times
...
My
1 year ago
Agreed. It's the most efficient way to grant access to the consultant.
upvoted 0 times
...
Lauran
1 year ago
I think so too. It's the most secure option as well.
upvoted 0 times
...
Olive
1 year ago
Option C is definitely the way to go. It's simple and doesn't require a Google account.
upvoted 0 times
...
...
Venita
1 year ago
That's a good point, Jaleesa. Convenience is important too. It really depends on the specific needs of the consultant.
upvoted 0 times
...
Jaleesa
1 year ago
I disagree, I believe option A is more convenient. Using Identity-Aware Proxy with gcloud compute ssh is easier for the consultant.
upvoted 0 times
...
Pearline
1 year ago
Option C is the way to go. The consultant can generate an SSH key pair, and you can add the public key to the instance. Secure and straightforward.
upvoted 0 times
Kimberlie
1 year ago
Exactly, it's a simple and secure solution for the consultant to access the instance.
upvoted 0 times
...
Nancey
1 year ago
Then you can add the public key to the instance yourself.
upvoted 0 times
...
Jeanice
1 year ago
I agree, having the consultant generate an SSH key pair is the way to go.
upvoted 0 times
...
Theron
1 year ago
Option C is the best choice. It's secure and easy.
upvoted 0 times
...
...
Venita
1 year ago
I think option C is the best choice. It's secure and allows the consultant to access the instance with their private key.
upvoted 0 times
...

Save Cancel