Google Cloud Managed Instance Groups on Assured Workloads
Title: Google Cloud Engineer β Windows Server MIG with Per-User VM Access (IAP + MFA) Description: We need help designing and implementing a secure, scalable Windows Server environment in Google Cloud Platform using Managed Instance Groups (MIGs). The goal: Each user gets their own Windows VM (1 user = 1 VM), accessed securely through Google Identity-Aware Proxy (IAP) with MFA. No Active Directory or Okta. Requirements: Build a golden Windows Server image with apps preinstalled (Adobe Reader, Office, browser). Configure a Managed Instance Group (MIG) to spin up VMs from this image. Implement a broker layer (Cloud Function/Run + Firestore or equivalent) that: Checks if a user already has a VM assigned. If not, provisions one, labels it with the userβs email, and grants them IAP access to that VM only. Ensure IAP is the only way to RDP into these VMs. On VM startup, a script should create a local Windows account matching the assigned user and generate a secure password (stored in Google Secret Manager). Optional: Implement cleanup logic to reclaim idle VMs. Provide documentation and handoff so we can manage and scale the system after delivery. Skills Needed: Google Cloud Platform (Compute Engine, MIGs, IAM, IAP, Cloud Functions/Run, Firestore, Secret Manager) Windows Server image building (sysprep, startup scripts, hardening) PowerShell scripting for automated account creation Security best practices (MFA, least privilege, CIS Level 1 baseline a plus) Deliverables: Working environment where each user automatically gets their own VM. IAP enforced with MFA for all access. Automated local account creation and credential management. Written runbook or video walkthrough for ongoing ops. β
Screening Questions You can paste these in the job posting to filter applicants: Have you built or managed a Managed Instance Group (MIG) in GCP before? How would you control per-instance IAM permissions so that only one user can access a VM through IAP? What approach would you use to automate Windows local account creation on boot? Do you have experience with Firestore or other lightweight state stores for tracking resources? What security baselines (CIS, Microsoft baselines) have you applied to Windows Server images? Can you provide an example of GCP automation youβve built (Terraform, scripts, Cloud Functions)? Apply tot his job