I want to create an in-house system with GCE. I want to make HTTP and SSH connections only for people in the company, but not others. What should I do with a firewall?
By default, a Google Cloud project you create in Google Cloud Platform comes with the default firewall rules:
default-allow-icmp – allow from any source to all the network IP. ICMP protocol is mostly used to ping the target.
default-allow-internal – allow connectivity between instances on any port.
default-allow-rdp – allow RDP session to connect to Windows servers from any source.
default-allow-ssh – enable SSH session to connect to UNIX servers from any source.
You can create firewall rules in combination with network tags so the VM instances with this associated tag will be the target of your firewall rule. Moreover, you can combine multiple ports in a single rule.
Here below there is an example to allow HTTP and SSH connections via gcloud command in the Cloud Shell (alternatively, you can use the GCP graphical interface):
gcloud compute firewall-rules create allow-ssh-and-http --network default --allow tcp:22,80 --direction ingress --priority 1000 --target-tags ssh-and-http --source-ranges [CIDR_RANGE]
Afterwards, you have to add the network tag to the specific GCE instance.
gcloud compute instances add-tags [INSTANCE-NAME] --zone [ZONE] --tags ssh-and-http
If you wish to have a more granular access control, you have to set the proper permissions for each user or service account via IAM & Admin.
Related
I am trying to connect to a google cloud VM instance having no external IP address via cloud shell and cloud SDK.
Google document says that we can connect it using IAP
Connecting through IAP: refer using IAP
a) Grant the roles/iap.tunnelResourceAccessor role to the user that wants to connect to the VM.
b) Connect to the VM using below command
gcloud compute ssh instance-name --zone zone
OR
Using IAP for TCP forwarding: refer using TCP forwarding
we can also connect by setting a ingress firewall rule for IP '35.235.240.0/20' with port TCP:22
and select a IAM role Select Cloud IAP > IAP-Secured Tunnel User
what's the difference between these two different approach and what's the difference in these two separate IAM roles
roles/iap.tunnelResourceAccessor
IAP-secured Tunnel User
I am new to cloud so please bear with my basic knowledge.
It's exactly the same thing. Look at this page
IAP-Secured Tunnel User (roles/iap.tunnelResourceAccessor)
You have the display name of the role: IAP-Secured Tunnel User that you see in the GUI, and you have the technical name of the role roles/iap.tunnelResourceAccessor that you have to use in the script and CLI
The link mentioned in the question ("refer using IAP") actually points to the
Connecting to instances that do not have external IP addresses > Connecting through a bastion host.
Connection through a bastion host is another method apart from access via IAP.
As described in the document Connecting to instances that do not have external IP addresses > Connecting through IAP,
IAP's TCP forwarding feature wraps an SSH connection inside HTTPS.
IAP's TCP forwarding feature then sends it to the remote instance.
Therefore both parts of the question (before OR and after OR) belong to the same access method: Connect using Identity-Aware Proxy for TCP forwarding. Hence the answer to the first question is "no difference" because all of that describes how the IAP TCP forwarding works and those are the steps to set it up and use:
1. Create a firewall rule that:
applies to all VM instances that you want to be accessible by using IAP;
allows ingress traffic from the IP range 35.235.240.0/20 (this range contains all IP addresses that IAP uses for TCP forwarding);
allows connections to all ports that you want to be accessible by using IAP TCP forwarding, for example, port 22 for SSH.
2. Grant permissions to use IAP:
Use GCP Console or gcloud to add a role IAP-Secured Tunnel User (roles/iap.tunnelResourceAccessor) to users.
Note: Users with Owner access to a project always have permission to use IAP for TCP forwarding.
3. Connect to the target VM with one of the following tools:
GCP Console: use the SSH button in the Cloud Console;
gcloud compute ssh INSTANCE_NAME
There's an important explanation of how IAP TCP forwarding is invoked for accessing a VM instance without Public IP. See Identity-Aware Proxy > Doc > Using IAP for TCP forwarding:
NOTE. If the instance doesn't have a Public IP address, the connection automatically uses IAP TCP tunneling. If the instance does have a public IP address, the connection uses the public IP address instead of IAP TCP tunneling.
You can use the --tunnel-through-iap flag so that gcloud compute ssh always uses IAP TCP tunneling.
As already noted by guillaume blaquiere, roles/iap.tunnelResourceAccessor and IAP-secured Tunnel User are not the different IAM roles, but the Role Name and the Role Title of the same Role. There is one more resource that represents this in a convenient form:
Cloud IAM > Doc > Understanding roles > Predefined roles > Cloud IAP roles
Is there a way in GCP to explicitly allow firewall rule only from cloud shell. All the GCP demos and videos add the rule allow 22 to 0.0.0.0/0 to ssh to the instance from cloud shell.
However is there a way we could restrict the access only from cloud shell - either using cloud shell's IP range or service account ?
Google does not publish the public IP address range for Cloud Shell.
VPC firewall rules allow specifying the service account of the source and target. However, Cloud Shell does not use a service account. Cloud Shell uses the identity of the person logged into the Google Cloud Console. This means OAuth 2 User Credentials. User Credentials are not supported for VPC Firewall rules.
My recommendation is to use TCP forwarding and tunnel SSH through IAP (Identity Aware Proxy). Google makes this easy in the Cloud SDK CLI.
Open a Cloud Shell in the Google Cloud Console. Then run this command:
gcloud compute ssh NAME_OF_VM_INSTANCE --tunnel-through-iap
This also works for VM instances that do not have public IP addresses.
The Identity Aware Proxy CIDR netblock is 35.235.240.0/20. Create a VPC Firewall rule that allows SSH traffic from this block. This rule will prevent public SSH traffic and only allow authorized traffic thru Identity Aware Proxy.
Google has published the detailed info in this article - Configuring secure remote access for Compute Engine VMs
From the admin console, click Security then select Identity-Aware Proxy.
If you haven’t used Cloud IAP before, you’ll need to configure the oAuth screen:
Configure the consent screen to only allow internal users in your domain, and click Save.
Next, you need to define users who are allowed to use Cloud IAP to connect remotely. Add a user to the “IAP-secured Tunnel User” role on the resource you’d like to connect to.
Then, connect to the machine via the ssh button in the web UI or gcloud.
When using the web UI, notice the URL parameter useAdminProxy=true.
Tip: If you don’t have gcloud installed locally, you can also use Cloud Shell:
gcloud beta compute ssh {VM-NAME} --tunnel-through-iap
You should now be connected! You can verify that you don’t have internet connectivity by attempting to ping out. 8.8.8.8 (Google’s Honest DNS) is a good address to try this with.
We are unable to connect to 'VM'via ssh instance on Google Cloud platform.
Here we are trying with the help of 'SSH' button available on the browser.
But following message is received:
We are unable to connect to the VM on the port 22.
We have tried to Stop and Start the VM but did not help.
You need to create a firewall rule that enables SSH access on port 22 for your VMs. It is better to make the 'Target' as a network tag instead of enabling SSH access for all of the machines on your VPC network.
You can use the CLI to perform this operation - using the default VPC
gcloud compute firewall-rules create <rule-name> --allow tcp:22 --network "default" --source-ranges "<source-range>"
Topics tested
Create a new VPC to host secure production Windows services.
Create a Windows host connected to a subnet in the new VPC with an internal only network interface.
Create a Windows bastion host (jump box) in with an externally accessible network interface.
Configure firewalls rules to enable management of the secure Windows host from the Internet using the bastion host as a jump box.
Setup
this is a qwiklabs problem
Create a VPC network with one subnet(custom)
Create a FW rule with a 'RDPtag' and protocol (TCP:3389) in the subnet created
Create a Windows VM-(vm-bastionhost) with 2 network interfaces
a. with custom subnet created. Select External IP to be Ephemeral.
b. with Default network. Select External IP to be none.
Add the network tag -'RDPtag'
Create a Windows VM (vm-securehost) with 2 network interfaces
a. with custom subnet created. Select External IP to be none.
b. with Default network. Select External IP to be none.
Add the network tag -'RDPtag'
Reset the credentials for both the VM's. Use
gcloud compute reset-windows-password vm-bastionhost --user app_admin --zone us-central1-a
gcloud compute reset-windows-password vm-securehost --user app_admin --zone us-central1-a
RDP in the vm- bastionhost using the new credentials.
From the vm-bastionhost machine, mstsc to the vm-securehost using new credentials.
Install IIS in vm-securehost.
Today, I tried to make a blog with Google Cloud Platform.
So, I made a Computer Engine Instance and install Apache2 on Ubuntu 16.
And then, clicked the Outer IP address, but it show me "connection denied.."
Why this happen?
I allowed HTTPS % HTTP Traffic also.
And I can't find a menu like AWS's Security Group...
So, this problem irritate me...
(I'm not a English native, so documentation is so hard read.. please, give me a tip for this matter)
TL;DR - You need to open up ports using firewall rules to allow ingress traffic into your VMs.
Google Compute Engine (GCE) blocks all traffic to your VMs by default for the purpose of keeping your infrastructure secure. You can open up ports as needed and manage the security yourself. The default created network has few exceptions in terms of allowing traffic from other VMs in the network, but still does not allow traffic from outside the network.
Firewalls
Each VPC network has its own firewall controlling access to the
instances.
All traffic to instances, even from other instances, is blocked by the
firewall unless firewall rules are created to allow it. The exception
is the default VPC network that is created automatically with each
project. This network has certain automatically created default
firewall rules.
For all VPC networks except the automatically created default VPC
network, you must create any firewall rules you need. To allow
incoming network connections on a manually created VPC network, you
need to set up firewall rules to permit these connections. Each
firewall rule represents a single rule that determines what
connections are permitted to enter or leave instances. It is possible
to have many rules and to be as general or specific with these rules
as you need. For example, you can create a firewall rule that allows
all traffic through port 80 to all instances, or you can create a rule
that only allows traffic from one specific IP or IP range to one
specific instance.
Firewall rules are connection tracking, and therefore only regulate
the initial connection. Once a connection has been established with an
instance, traffic is permitted in both directions over that
connection.
Since you say apache2 package on Ubuntu, the instructions I share here will guide you on how to open up port 80 on your VM and make it accessible through the VM's public IP. You can do the same for any additional ports as needed.
Using gcloud to allow ingress traffic for tcp:80 into your VM
# Create a new firewall rule that allows INGRESS tcp:80 with VMs containing tag 'allow-tcp-80'
gcloud compute firewall-rules create rule-allow-tcp-80 --source-ranges 0.0.0.0/0 --target-tags allow-tcp-80 --allow tcp:80
# Add the 'allow-tcp-80' tag to a VM named VM_NAME
gcloud compute instances add-tags VM_NAME --tags allow-tcp-80
# If you want to list all the GCE firewall rules
gcloud compute firewall-rules list
Using Cloud Console to allow ingress traffic for tcp:80 into your VM
Menu -> Networking -> Firewall Rules
Create Firewall Rule
Choose the following settings for the firewall rule:
Name for the rule - rule-allow-tcp-80 or any other name you prefer for this firewall rule.
Direction is ingress
Action on match is Allow
Targets is Specified target tags
Target tags is allow-tcp-80
Source IP ranges is 0.0.0.0/0 (or if you have a set of IP ranges you know will be the only ones accessing this, use them instead for stronger restriction)
Protocols and ports is tcp:80
Select Create button to create this firewall rule.
Once you've created the above firewall rule you will need to add the tag allow-tcp-80 to all the instances where this rule needs to be applied. In your case:
Open up the GCE VM Instances page
Select the instance where Jenkins is running
In the VM instance details page, select the Edit link on the very top.
In the Network Tags box, enter allow-tcp-80 to apply the tag to this instance.
Select Save to save the changes.
Now give it a few seconds to a few minutes for the changes to take effect and you will be able to access the jenkins web URL.
You can also go through the documentation for Firewall rules to get a better understanding of how they work and how to configure them.
WARNING: By using a source range of 0.0.0.0/0, you're opening up the port on the VM to the entire internet. This lets clients anywhere in the world to connect to the application running on this port. Be fully aware of the security implications of doing this.