Use a bastion host
- A temporary VM with a public IP
- Connect to it, then connect to the private IPs of instances from there
Con: Still have a VM with a public IP
Use Cloud VPN/Interconnect
- Connect from on-prem network to the Google Cloud network via private IP address
Con: Developers are limited as to where they must be (i.e, connected to the network/VPN)
Use Identity-Aware Proxy for TCP forwarding to forward a SSH/RDP connection to a remote instance without the need for a VPN connection
Conclusion : the preferred approach for inbound SSH is to use IAP, which
is a built-in service, rather than configuring a one-off bastion host.
