In the previous lab, I created a private VM with no external IP and accessed it through IAP. That lab worked for private access, but it also exposed an important issue. The VM could be private, but without outbound internet access, the startup script could fail when trying to install packages. In my case, Nginx installation failed because the VM had no external IP and no Cloud NAT. That taught me an important distinction: IAP = controlled inbound administrative access Cloud NAT = outbound internet access for private resources Enter fullscreen mode Exit fullscreen mode So in this lab, I wanted to build a more complete serving pattern. Instead of using a single VM, I moved to: instance template -> Managed Instance Group -> health check -> backend service -> HTTP load balancer Enter fullscreen mode Exit fullscreen mode I also added Cloud NAT so the private backend instances can install Nginx during startup without needing external IP addresses.…