An organization needs to set up a new Google Cloud project with restricted access to only approved IP ranges for SSH into VMs. Which Google Cloud service should be used?
Firewall rules can restrict inbound SSH to specific source IP ranges.
Why this answer
VPC Firewall Rules (Option C) are the correct choice because they allow you to restrict inbound SSH (TCP port 22) traffic to specific source IP ranges by defining ingress rules at the VPC network level. This directly enforces IP-based access control for SSH into VM instances without additional services or proxies.
Exam trap
The trap here is that candidates often confuse Cloud Armor (a WAF for HTTP/S) with network-layer firewall rules, or assume IAP TCP forwarding is for IP whitelisting when it actually uses identity-based access, not source IP restrictions.
How to eliminate wrong answers
Option A is wrong because Cloud Armor is a web application firewall (WAF) that protects HTTP/HTTPS traffic at the Google Cloud Armor edge, not SSH traffic at the VM level; it cannot filter SSH connections. Option B is wrong because Cloud NAT provides outbound internet access for private VMs via source network address translation, but it does not control inbound SSH access or restrict source IPs. Option D is wrong because Identity-Aware Proxy (IAP) TCP forwarding enables SSH access without public IPs by tunneling through IAP, but it does not restrict access to approved IP ranges; instead, it uses identity and context-based access, not source IP filtering.