Menu
Is there a way in GCP to explicitly allow firewall rule only from cloud shell. All the GCP demos and videos add the rule allow 22 to 0.0.0.0/0 to ssh to the instance from cloud shell.
However is there a way we could restrict the access only from cloud shell - either using cloud shell's IP range or service account ?
924
GCP firewall is software-defined rules; you don’t need to learn or log in to conventional firewall hardware devices. Google Cloud firewall rules are stateful. All the configuration is done either through GCP Console or commands. However, I’ll explain how to do using a console.
Google Cloud firewall rules are stateful. All the configuration is done either through GCP Console or commands. However, I’ll explain how to do using a console. Firewall rules are available under the VPC network in the networking section on the left side menu. When you click on create a firewall rule, it will ask you the connectivity details.
The reason Cloud Shell is free is that it allows GCP customers to deploy and manage resource using a secure and optimized Shell environment. Cloud Shell is available from the GCP management console, top navigation menu as shown below. To start it click on it and wait for it to start.
To launch Google Cloud Shell, log in to the GCP console, and click the Cloud Shell icon in the top toolbar. This opens a new frame and terminal console at the bottom of the browser window (see Figure 1). Figure 1. Launch Google Cloud Shell from the GCP console.
Google does not publish the public IP address range for Cloud Shell.
VPC firewall rules allow specifying the service account of the source and target. However, Cloud Shell does not use a service account. Cloud Shell uses the identity of the person logged into the Google Cloud Console. This means OAuth 2 User Credentials. User Credentials are not supported for VPC Firewall rules.
My recommendation is to use TCP forwarding and tunnel SSH through IAP (Identity Aware Proxy). Google makes this easy in the Cloud SDK CLI.
Open a Cloud Shell in the Google Cloud Console. Then run this command:
gcloud compute ssh NAME_OF_VM_INSTANCE --tunnel-through-iap
This also works for VM instances that do not have public IP addresses.
The Identity Aware Proxy CIDR netblock is 35.235.240.0/20. Create a VPC Firewall rule that allows SSH traffic from this block. This rule will prevent public SSH traffic and only allow authorized traffic thru Identity Aware Proxy.
141
Google has published the detailed info in this article - Configuring secure remote access for Compute Engine VMs
From the admin console, click Security then select Identity-Aware Proxy.
If you haven’t used Cloud IAP before, you’ll need to configure the oAuth screen:
Configure the consent screen to only allow internal users in your domain, and click Save.
Next, you need to define users who are allowed to use Cloud IAP to connect remotely. Add a user to the “IAP-secured Tunnel User” role on the resource you’d like to connect to.
Then, connect to the machine via the ssh button in the web UI or gcloud.
When using the web UI, notice the URL parameter useAdminProxy=true.
Tip: If you don’t have gcloud installed locally, you can also use Cloud Shell:
gcloud beta compute ssh {VM-NAME} --tunnel-through-iap
You should now be connected! You can verify that you don’t have internet connectivity by attempting to ping out. 8.8.8.8 (Google’s Honest DNS) is a good address to try this with.
40
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With