Is there a way that one can whitelist IPs that can access GCP console. We have GCP setup, but at the moment, one can login to the console from any IP via their gsuite account. How can we limit that to only when on the VPN?
The Google Cloud Console is a public global resource. AFAIK there is no method to limit access to a user connected via VPN. Access is granted via Google Accounts OAuth Tokens and limiting access to a VPN is not part of the authentication process.
Related
Is it possible with Workspace and GCP to restrict geographical where a user can access projects and resources from?
For example, all users in the Workspace should only be able to access GCP resources from Australia. User A decides to go on holiday to USA but will do some remote work. Their access should be blocked to select Workspace and GCP resources unless over ruled (ie. User A enabled access from USA).
This is something I've seen possible in Azure AD, does GCP/Workspace have a similar functionality?
Use Context-Aware Access to create granular access control policies for Google Workspace. Not all versions of Google Workspace enable this feature. This does not affect access to Google Cloud Platform.
If you are using Identity-Aware Proxy to control access to your resources in Google Cloud, then you can extend Identity-Aware Proxy with Context-Aware Proxy. However, this does not limit access to the Google Cloud GUI or other Google owned resources - only the ones you configure IAP authorization.
Setting up context-aware access with Identity-Aware Proxy
Context-Aware Access can also be integrated with VPC Service Control perimeter ingress rules to allow access based on network origin (IP and VPC).
Context-aware access with ingress rules
Summary:
Integrate Context-Aware Access with resources you create that support Identity-Aware Proxy.
Use VPC Service Controls to control access to Google Cloud resources that support VPCs (Cloud Storage, BigQuery, etc).
If your goal is to limit access to the Google Cloud Console GUI, I am not aware of one. Use Two-Step Verification to control user access from new locations.
We are moving from AWS to the GCP. I used Client VPN Endpoint in AWS to get into the VPC network in the AWS. What is the alternative in GCP which I can quickly setup and get my laptop into the VPC network? If there is no exact alternative, what's the closest one and please provide instructions to set it up.
AWS Client VPN is a managed client-based VPN service that enables you to securely access your AWS resources and resources in your on-premises network. With Client VPN, you can access your resources from any location using an OpenVPN-based VPN client.
Currently there is no managed product available on GCP to allow VPN connections from multiple clients to directly access resources within a VPC as Cloud VPN only supports site-to-site connectivity, however there is an existing Feature Request for this.
As an alternative a Compute Engine Instance can be used instead with OpenVPN server manually installed and configured following the OpenVPN documentation, however this would be a self managed solution.
Google APIs and Services that are supported by VPC Service Controls based on Supported products and limitations available here includes Pub/Sub, Cloud Monitoring and Cloud Logging.
However a related documentation available here about configuring Private Google Access for on-premises hosts available here has Pub/Sub, Monitoring and Logging listed under Reached using Private Google Access but not secured by VPC Service Controls.
I am confused reading this. Can Pub/Sub access (as well as Monitoring and Logging) be secured by VPC Service Controls or not?
Edit
Uploaded image of new VPC Service Control creation screen that allows PubSub to be selected as one of the services to be restricted.
After reviewing both documents, I can see that, as you commented, Pub/Sub is a Supported VPC SC product. However, the combination of these 3 products: Private Google Access + VPC SC + Pub/Sub will not work. Therefore you can secure these products (Pub/Sub, Monitoring and Logging) by using VPC Service Controls without using Private Google Access (service that allow on-premises hosts to reach the Google APIS without using public IPS)
Is there a way in GCP to explicitly allow firewall rule only from cloud shell. All the GCP demos and videos add the rule allow 22 to 0.0.0.0/0 to ssh to the instance from cloud shell.
However is there a way we could restrict the access only from cloud shell - either using cloud shell's IP range or service account ?
Google does not publish the public IP address range for Cloud Shell.
VPC firewall rules allow specifying the service account of the source and target. However, Cloud Shell does not use a service account. Cloud Shell uses the identity of the person logged into the Google Cloud Console. This means OAuth 2 User Credentials. User Credentials are not supported for VPC Firewall rules.
My recommendation is to use TCP forwarding and tunnel SSH through IAP (Identity Aware Proxy). Google makes this easy in the Cloud SDK CLI.
Open a Cloud Shell in the Google Cloud Console. Then run this command:
gcloud compute ssh NAME_OF_VM_INSTANCE --tunnel-through-iap
This also works for VM instances that do not have public IP addresses.
The Identity Aware Proxy CIDR netblock is 35.235.240.0/20. Create a VPC Firewall rule that allows SSH traffic from this block. This rule will prevent public SSH traffic and only allow authorized traffic thru Identity Aware Proxy.
Google has published the detailed info in this article - Configuring secure remote access for Compute Engine VMs
From the admin console, click Security then select Identity-Aware Proxy.
If you haven’t used Cloud IAP before, you’ll need to configure the oAuth screen:
Configure the consent screen to only allow internal users in your domain, and click Save.
Next, you need to define users who are allowed to use Cloud IAP to connect remotely. Add a user to the “IAP-secured Tunnel User” role on the resource you’d like to connect to.
Then, connect to the machine via the ssh button in the web UI or gcloud.
When using the web UI, notice the URL parameter useAdminProxy=true.
Tip: If you don’t have gcloud installed locally, you can also use Cloud Shell:
gcloud beta compute ssh {VM-NAME} --tunnel-through-iap
You should now be connected! You can verify that you don’t have internet connectivity by attempting to ping out. 8.8.8.8 (Google’s Honest DNS) is a good address to try this with.
In a private subnet, We have an EC2(client) talking to server(another EC2) listening on a port.
client EC2 is assigned a role to get access to server EC2. Client and server are GOLang programs.
AWS role is mainly used to perform communication with AWS API calls between any two services(AWS) without specifying the credentials.
Does AWS role also help in client-server communication? to authenticate right client..
Not directly, no. You don't use IAM to control access between your client and your server. You use it to control access between your client and AWS services. IAM authenticates clients and authorizes them to perform specific actions against specific AWS resources.
One option that would allow your client to leverage IAM roles for authentication to your server's API would be to insert API Gateway between them. Another option is to use standard auth mechanisms such as bearer tokens, API request signing etc.
Note that, typically, you would use Security Groups to control which EC2 instances can actually talk to the server API on port N.