Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

GCP open firewall only to cloud shell

Is there a way in GCP to explicitly allow firewall rule only from cloud shell. All the GCP demos and videos add the rule allow 22 to 0.0.0.0/0 to ssh to the instance from cloud shell.

However is there a way we could restrict the access only from cloud shell - either using cloud shell's IP range or service account ?

like image 924
Naveen Vijay Avatar asked Jul 14 '19 01:07

Naveen Vijay


People also ask

How to configure GCP firewall?

GCP firewall is software-defined rules; you don’t need to learn or log in to conventional firewall hardware devices. Google Cloud firewall rules are stateful. All the configuration is done either through GCP Console or commands. However, I’ll explain how to do using a console.

How to configure Google Cloud firewall rules?

Google Cloud firewall rules are stateful. All the configuration is done either through GCP Console or commands. However, I’ll explain how to do using a console. Firewall rules are available under the VPC network in the networking section on the left side menu. When you click on create a firewall rule, it will ask you the connectivity details.

Why is GCP cloud shell free?

The reason Cloud Shell is free is that it allows GCP customers to deploy and manage resource using a secure and optimized Shell environment. Cloud Shell is available from the GCP management console, top navigation menu as shown below. To start it click on it and wait for it to start.

How do I open Google Cloud shell in Linux?

To launch Google Cloud Shell, log in to the GCP console, and click the Cloud Shell icon in the top toolbar. This opens a new frame and terminal console at the bottom of the browser window (see Figure 1). Figure 1. Launch Google Cloud Shell from the GCP console.


2 Answers

Google does not publish the public IP address range for Cloud Shell.

VPC firewall rules allow specifying the service account of the source and target. However, Cloud Shell does not use a service account. Cloud Shell uses the identity of the person logged into the Google Cloud Console. This means OAuth 2 User Credentials. User Credentials are not supported for VPC Firewall rules.

My recommendation is to use TCP forwarding and tunnel SSH through IAP (Identity Aware Proxy). Google makes this easy in the Cloud SDK CLI.

Open a Cloud Shell in the Google Cloud Console. Then run this command:

gcloud compute ssh NAME_OF_VM_INSTANCE --tunnel-through-iap

This also works for VM instances that do not have public IP addresses.

The Identity Aware Proxy CIDR netblock is 35.235.240.0/20. Create a VPC Firewall rule that allows SSH traffic from this block. This rule will prevent public SSH traffic and only allow authorized traffic thru Identity Aware Proxy.

like image 141
John Hanley Avatar answered Sep 20 '22 13:09

John Hanley


Google has published the detailed info in this article - Configuring secure remote access for Compute Engine VMs


From the admin console, click Security then select Identity-Aware Proxy.

enter image description here

If you haven’t used Cloud IAP before, you’ll need to configure the oAuth screen:

enter image description here

enter image description here

Configure the consent screen to only allow internal users in your domain, and click Save.

Next, you need to define users who are allowed to use Cloud IAP to connect remotely. Add a user to the “IAP-secured Tunnel User” role on the resource you’d like to connect to.

enter image description here

Then, connect to the machine via the ssh button in the web UI or gcloud.

enter image description here

When using the web UI, notice the URL parameter useAdminProxy=true.

enter image description here

Tip: If you don’t have gcloud installed locally, you can also use Cloud Shell:

gcloud beta compute ssh {VM-NAME}  --tunnel-through-iap

You should now be connected! You can verify that you don’t have internet connectivity by attempting to ping out. 8.8.8.8 (Google’s Honest DNS) is a good address to try this with.

like image 40
Naveen Vijay Avatar answered Sep 22 '22 13:09

Naveen Vijay