An organization needs to set up a new Google Cloud project with restricted access to only approved IP ranges for SSH into VMs. Which Google Cloud service should be used?
Why this answer
VPC Firewall Rules (Option C) are the correct choice because they allow you to restrict inbound SSH (TCP port 22) traffic to specific source IP ranges by defining ingress rules at the VPC network level. This directly enforces IP-based access control for SSH into VM instances without additional services or proxies.
How to eliminate wrong answers
Option A is wrong because Cloud Armor is a web application firewall (WAF) that protects HTTP/HTTPS traffic at the Google Cloud Armor edge, not SSH traffic at the VM level; it cannot filter SSH connections. Option B is wrong because Cloud NAT provides outbound internet access for private VMs via source network address translation, but it does not control inbound SSH access or restrict source IPs. Option D is wrong because Identity-Aware Proxy (IAP) TCP forwarding enables SSH access without public IPs by tunneling through IAP, but it does not restrict access to approved IP ranges; instead, it uses identity and context-based access, not source IP filtering.