How do I set a stable ip in Google Cloud Platform? - google-cloud-platform

I set up a cloud instance with Google Cloud Engine; It works well: I can SSH into it and I can use a VNC client in any desktop to connect to it.
However, that causes a lot of trouble. I set the approved addresses as 0.0.0.0/0. This works, but it also leaves my account vulnerable. Even though hackers don't succed to break through, their attempts makes my vnc server to reject new attempts, including mine.
How about changing the approved ip addresses to only my own? The problem with that is that I use an internet provider that constantly changes my ip - it can change multiple times in 5 minutes. As a result, I have to change the approved ip all the time.
I have set up a static ip for my laptop, but the ip that my vnc server sees is the ip set by my internet service provider.
Is there a way to ask GCE to only check the computer's ip?
Is there a way to set my external ip to a static one (without contacting my ISP)?
Is there anything I can do?
Thank you.

You can use IAP for TCP forwarding.
This way your VM doesn't need a Public IP (So it's not exposed to the internet) and IAP for TCP forwarding supports both SSH and RDP

Related

Static IP to access GCP Machine Learning APIs via gRPC stream over HTTP/2

We're living behind a corporate proxy/firewall, that can only consume static IP rules and not FQDNs.
For our project, we need to access Google Speech To Text API: https://speech.googleapis.com. If outside of corporate network, we use gRPC stream over HTTP/2 to do that.
The ideal scenario looks like:
Corporate network -> static IP in GCP -> forwarded gRPC stream to speech.googleapis.com
What we have tried is creating a global static external IP, but failed when configuring the Load Balancer, as it can only connect to VMs and not APIs.
Alternatively, we were thinking to use output of nslookup speech.googleapis.com IP address ranges and update it daily, though it seems pretty 'dirty'.
I'm aware we can configure a compute engine resource / VM and forward the traffic, but this really doesn't seem like an elegant solution either. Preferably, we can achieve that with existing GCP networking components.
Many thanks for any pointers!
Google does not publish a CIDR block for you to use. You will have daily grief trying to whitelist IP addresses. Most of Google's API services are fronted by the Global Frontend (GFE). This uses HTTP Host headers to route traffic and not IP addresses, which will cause routing to fail.
Trying to lookup the IP addresses can be an issue. DNS does not have to return all IP addresses for name resolution in every call. This means that a DNS lookup might return one set of addresses now and a different set an hour from how. This is an edge example of grief you will cause yourself with whitelisting IP addresses.
Solution: Talk to your firewall vendor.
Found a solution thanks to clever networking engineers from Google, posting here for future reference:
You can use a CNAME in your internal DNS to point *.googleapis.com to private.googleapis.com. This record in public DNS points to two public IP addresses (199.36.153.8/30) that are not reachable from the public internet but through a VPN tunnel or Cloud interconnect only.
So if setting up a VPN tunnel to a project in GCP is possible (and it should be quite easy, see https://cloud.google.com/vpn/docs/how-to/creating-static-vpns), then this should solve the problem.

Google Cloud Compute Engine - Windows VM

I'm somewhat of a noobie to GCP VMs, so please excuse me if this question is a little too basic.
I've recently created 2 VMs - both Windows 2016. The first one, I created without any template, pretty basic. The second one I created using a template that my company had set up. I don't believe that I've done anything significantly different in the creation of the two other than one being from a template and one not. All of the details within the VM seem to match.
The issue I'm having is this:
With the first one (non-template), I was given an external IP, was able to RDP from both the GCP console and the RDP app on my local machine, and I had an internet connection upon connecting.
With the second one (template), I was not given an external IP (it says "none" on the GCP console), I'm unable to RDP through the GCP console (the RDP button is greyed out and doesn't allow me to select it), and I do not have an internet connection upon connecting through the RDP app.
I've tried stopping/starting the VM, but other than that I'm not entirely sure what to do. Does anyone know a possible way to fix this?
If you have created a VM without external IP, in Google Console it rdp (or ssh) button will be grayed out.
When you say you are using templates, are you referring to this?
Probably your instance template doesn't have external IP.
Review your firewal rules:
In your VM details, under Network interfaces you should check Network details (view details). Checkout if the firewall rules for 3389 are there. Also make sure that the Target name you see in the firewall rule is present in the network tags in VM instance details.
To get a remote connection to your VM (without setting up peering or VPN tunnels), you'll need to add an external IP address to your VM so that it can NAT your traffic to your instance.
It looks like the template you used does not have an external IP attached in its settings. You will need to click on the VM instance, then edit the settings, and then expand the 'Network Interfaces' section. Once there, you can choose an ephemeral external IP address assigned to your VM.
Bear in mind, that all of the traffic is enforced by the project firewall-rules, so check that RDP is enabled on your firewall setting. If you do not have firewall rules and using the default network, then the RDP firewall rule will be created for you.

How can I set SSH firewall rule on Google VM so that only my office computers can access the VM over SSH?

In last few days my Google VM is continuously being compromised, I have received warning and faced suspension of VM by Google saying "cryptocurrency mining activities was found on VM". I suspect someone has hacked my VM and doing this activity. So, now I want to create a new VM with secure SSH firewall such that only limited computers can access the VM.
I have tried setting the IP of my office routers on firewall ssh allow rule, but after setting this rule also SSH connection to VM do get established from other IP addresses. I just want to specify two IPs in firewall rule but it expects IP ranges in CIDR format (with which I am not clear).
I have also found some suggestions that I should change the ssh port of the VM.
Can anybody please explain how can I restrict the access to my Google VM to only a specific set of computers when this computers are connected to a router and external IP is same for all i.e. of router?
Thanks
I understand you want to create a new VM with secure firewall SSH and want to restrict and allow access from particular IP addresses of your office router.
To do that you can create firewall rules as explained here 1. To manage the access for a specific instance, I recommend you to use Network Tags for firewall rules 2.
Going back to your concern, that SSH connection to VM do get established from other IP addresses even when you create the firewall rule for the specific IP address. The reason for that might be due to this:
Every project you create in GCP comes with the default firewall rules.
So there might be one default-allow-ssh rule which you need to block, I guess that might be causing the issue. Note that the default network includes some additional rules that override this one, allowing certain types of incoming traffic. See the attached link[3][4] for more details.
[3]https://cloud.google.com/vpc/docs/firewalls#default_firewall_rules
[4]https://cloud.google.com/vpc/docs/firewalls#more_rules_default_vpc
You can also add guest-level firewall rule using for example "iptables" to add another security level to your VM instance. However, GCP project-level firewall rule takes care of inspecting network traffic before it goes to your VM instances. Operating system Firewall blocks all internet traffic to any port 22.
In order to allow a specific address to be able to connect on your VM instance, you may add a CIDR of /32 on the "IP ranges" value of your "default-allow-ssh" GCP firewall rule. For example, 45.56.122.7/32 and 208.43.25.31/32.

Google cloud virtual instance cannot ping my Mac (checked firewalls)

I have a virtual machine instance running on Google Cloud Compute Engine — a preemptible free-tier CPU running Ubuntu 17.04. The end goal is to connect it to a MongoDB running on my local machine, a 2015 Macbook Pro (OS 10.12.6). But first, I've been trying to ensure the VM can reach my Mac via ping.
Running ping <VM's external IP> from my Mac works.
pinging my Mac from another Mac on the same wifi network works.
Running ping <Mac's IP> from the VM via the browser terminal does not work.
I've disabled my Mac's firewall. I've also configured my VM's firewall rules to allow all inbound and outbound traffic, to no avail:
ingress firewall rules, egress firewall rules
How might I get this instance to ping my Mac successfully?
Does your Mac's IP address begin with 10., 192.168., or between 172.16. and 172.32.? These are private addresses only reachable within your Mac's local network, which is (part of) why GCE cannot reach your VM.
This is part of a very common configuration. An ISP only allocates one (or a small number) of IP addresses to your home or business. A router on the network performs NAT to share that IP addess between computers on the local network, which instead use private IP addresses for themselves. As the router doesn't know what to do with the inbound MongoDB traffic, it blocks it.
There are two common ways around this that are usually found in your router settings:
"port forwarding" where you tell the traffic to forward all traffic on port 1234 to your Mac. This can get MongoDB working, but not ping.
If you have whole extra IP addresses, "DMZ" where your router directly forwards an entire extra IP to your instance. If you have only one IP address this is not an option as that IP is needed to be shared for other devices on the Wifi.
You likely also have a firewall on the router. If you use a DMZ or port-forwarding you must make sure that firewall allows traffic through too.
That said, I'm not sure that this is a sensible thing to do. Opening up your local network to the internet can create major security issues, plus it is likely unreliable more expensive (free tier only provides 1GB egress/month, your db traffic could exceed this).
Actually running MongoDB on instances within GCE is almost certainly a better option in every regard for you.

Restrict the access to aws instance from specific IP

I want to set the security groups for the web server running in aws instance.My website should be accessible to through http/https. But file modification access to be set to particular IP address.I am currently connected to a Wifi router, and as I know IP that my PC assigned changes everytime.
Can someone please guide me on how to get a static IP address that I can allow access to my website.Thanks in advance.
You would need to see if you ISP can sell you a static IP - it's not always possible. I can't get one from my ISP when working from home, your ISP may be different for example.
However, if it is just you that needs static IP address (i.e. you as the developer/admin as opposed to users in the public), it is only a few clicks of the mouse to update the security rule thru the aws console each time you need elevated access. I do this for several servers running on EC2 which I keep locked down, and when I need to RDP into them, I open up the security groups to just my (dynamic) IP, and remove the rule when I am done - this will work if you only occasionally need access. You could also automate this process using a little scripting and/or lambda function.
Other option that I also do: I have an service that I need to access continually from a static IP - I use an another EC2 instance (with fixed IP) as the whitelist IP for this, and then I connect to that services by first connecting via RDP to the EC2 instance - and the EC2 instance with the fixed IP then accesses the service using its static IP.
You first have to know if your external IP changes if so you have to ask your ISP to change your IP to a static one
If it's the internal IP the one that changes but the external IP is the same you will have no problem accessing the aws.