A company uses Shared VPC with multiple service projects. The network admin wants to restrict access to certain Compute Engine instances so that only specific service accounts can SSH into them. What is the best practice to achieve this?
IAP provides secure access and IAM conditions allow granular control by service account.
Why this answer
Option B is correct because Identity-Aware Proxy (IAP) TCP forwarding allows SSH access to Compute Engine instances without exposing them to the public internet. By combining IAP with IAM conditions, the network admin can restrict which service accounts are permitted to use IAP, thereby controlling SSH access at the identity level rather than relying on source IP addresses. This approach aligns with Google Cloud's best practice for zero-trust network security.
Exam trap
The trap here is that candidates may confuse IAP with traditional firewall rules or VPC Service Controls, mistakenly thinking source IP filtering or perimeter-based controls can enforce identity-based access, whereas IAP is the only option that directly integrates service account identity with SSH access.
How to eliminate wrong answers
Option A is wrong because firewall rules filter traffic based on source IP addresses, not service accounts; service accounts are identities, not IP ranges, so this approach cannot restrict access by service account. Option C is wrong because Organization Policies are used to set constraints on resource configurations (e.g., disabling serial port access), not to control SSH access per service account. Option D is wrong because VPC Service Controls are designed to protect data exfiltration by defining perimeters around managed services (e.g., BigQuery, Cloud Storage), not to manage SSH access to Compute Engine instances.