Is there anyway to allow Google Memorystore to be accessible to the outside world and just whitelist connections by IP Address?
I have some off google services that need access to the redis but it doesnt seem possible to hit Memorystore with an IP.
You can follow the solution proposed in this other thread. This way, you would be using that Compute Engine instance as a proxy and you would just need to configure some firewall rules to only allow specific IP addresses to access that VM.
To put it in a few steps:
Create your VM in the same VPC your Google Memorystore instance is using
Add firewall rules to deny all traffic (ingress and egress) and other higher priority rules allowing all traffic (again, ingress and egress) from your desired IP addresses targeting your VPC
Use port forwarding as explained in the mentioned thread
Related
I am fairly new to GCP networking and I could use some guidance. I'm sure there is a simple explanation for what I'd like to accomplish. I believe its just a simple firewall rule but I'm not sure how to configure the rule.
I current have 3 subnets in the same VPC network. I'd like subnet-a to be a "jump-network" for admins doing work on compute instances in subnet-b and subnet-c over various ports. i.e. 22, 3389, 80, 443 etc etc. Admins will work on a jump VM (windows) in subnet-a and access compute instances (both windows/linux) in subnet-b and subnet-c. (using private IP addresses)
I'm sure there are simple firewall rules to allow connectivity between subnets inside the same VPC. Can someone help me? What are the firewall rules?
Thanks. Any and all input from the community is greatly appreciated.
Ive tried several firewall rules from various google searches, but I don't want to leave my network open to the malicious threat actors by incorrectly configuring the firewall.
As answered by #JohnHanley in another post
VPC subnets within the same VPC can communicate with each other. The VPC Firewall rule default-allow-internal allows all TCP, UDP, and ICMP traffic between resources within the same VPC. The key is to use the internal (private) IP address.
When creating VPC Networks, you have the option to automatically create default firewall rules such as default-allow-internal which allows connectivity between instances on any port. As mentioned, you'll just have to use the Internal IP address of the instance(s) that you are trying to connect to
You may refer to this documentation as a helpful guide for creating simple Firewall rules for your use case.
What is the standard way to block an external IP from accessing my GCP cluster? Happy for the answer to include another Google service.
Because your cluster is deployed on Compute Engine instance, you can simply set a firewall rule to discard connection from a specific IP.
If you use an HTTP load balancer, you can add Cloud Armor policy to exclude some IPs.
In both case, keep in mind that IP filtering isn't very efficient. A VPN or Proxy can be easily and freely used on the internet and change the IP source of the requester.
Assuming I have a custom VPC with IP ranges 10.148.0.0/20
This custom VPC has firewall rules to allow-internal so the service inside those IP ranges can communicate to each other.
After the system grows I need to connect to some on-premises network by using Classic Cloud VPN, already create Cloud VPN (the on-premises side configuration already configured by someone) and the VPN Tunnel already established (with green checkmarks).
I also can ping to on-premises IP right now (let's say ping to 10.xxx.xxx.xxx where this is not GCP internal/private IP but on-premises private IP) using compute engine created on custom VPC network.
The problem is all the compute engine instance spawn in custom VPC network can't communicate to the internet now (like doing sudo apt update) or even communicate to google cloud storage (using gsutil), but they can communicate using private IP.
I also can't spawn dataproc cluster on that custom VPC (I guess because it can't connect to GCS, since dataproc needs GCS for staging buckets).
Since I do not really know about networking stuff and relatively new to GCP, how to be able to connect to the internet on instances that I created inside custom VPC?
After checking more in-depth about my custom VPC and Cloud VPN I realize there's misconfiguration when I establish the Cloud VPN, I've chosen route-based in routing option and input 0.0.0.0/0 in Remote network IP ranges. I guess this routes sending all traffic to VPN as #John Hanley said.
Solved it by using policy-based in routing option and only add specific IP in Remote network IP ranges.
Thank you #John Hanley and
#guillaume blaquiere for pointing this out
Is there an alternative to AWS's security groups in the Google Cloud Platform?
Following is the situation which I have:
A Basic Node.js server running in Cloud Run as a docker image.
A Postgres SQL database at GCP.
A Redis instance at GCP.
What I want to do is make a 'security group' sort of so that my Postgres SQL DB and Redis instance can only be accessed from my Node.js server and nowhere else. I don't want them to be publically accessible via an IP.
What we do in AWS is, that only services part of a security group can access each other.
I'm not very sure but I guess in GCP I need to make use of Firewall rules (not sure at all).
If I'm correct could someone please guide me as to how to go about this? And if I'm wrong could someone suggest the correct method?
GCP has firewall rules for its VPC that work similar to AWS Security Groups. More details can be found here. You can place your PostgreSQL database, Redis instance and Node.js server inside GCP VPC.
Make Node.js server available to the public via DNS.
Set default-allow-internal rule, so that only the services present in VPC can access each other (halting public access of DB and Redis)
As an alternative approach, you may also keep all three servers public and only allow Node.js IP address to access DB and Redis servers, but the above solution is recommended.
Security groups inside AWS are instance-attached firewall-like components. So for example, you can have a SG on an instance level, similar to configuring IP-tables on regular Linux.
On the other hand, Google Firewall rules are more on a Network level. I guess, for the level of "granularity", I'd say that Security Groups can be replaced to instance-level granularity, so then your alternatives are to use one of the following:
firewalld
nftables
iptables
The thing is that in AWS you can also attach security groups to subnets. So SG's when attached to subnets, are also kind of similar to google firewalls, still, security groups provide a bit more granularity since you can have different security groups per subnet, while in GCP you need to have a firewall per Network. At this level, protection should come from firewalls in subnets.
Thanks #amsh for the solution to the problem. But there were a few more things that were required to be done so I guess it'll be better if I list them out here if anyone needs in the future:
Create a VPC network and add a subnet for a particular region (Eg: us-central1).
Create a VPC connector from the Serverless VPC Access section for the created VPC network in the same region.
In Cloud Run add the created VPC connector in the Connection section.
Create the PostgreSQL and Redis instance in the same region as that of the created VPC network.
In the Private IP section of these instances, select the created VPC network. This will create a Private IP for the respective instances in the region of the created VPC network.
Use this Private IP in the Node.js server to connect to the instance and it'll be good to go.
Common Problems you might face:
Error while creating the VPC Connector: Ensure the IP range of the VPC connector and the VPC network do not overlap.
Different regions: Ensure all instances are in the same region of the VPC network, else they won't connect via the Private IP.
Avoid changing the firewall rules: The firewall rules must not be changed unless you need them to perform differently than they normally do.
Instances in different regions: If the instances are spread across different regions, use VPC network peering to establish a connection between them.
I'm trying to limit ssh access to a google cloud vm instance by using the firewall in "VPC Network". I only want to be able to access the vm when I'm on my university's wifi. I've added the DNS server IP addresses (listed here: https://accc.uic.edu/service/uic-net) but once I add them to the firewall I lose access even when I'm on them.
snapshot of firewall impl
*I've even tried using my specific machine IP address with no luck (even though I want the whole network to have access, not just my machine)
Adding the DNS server IP address to a Google VPC firewall rule will not enable access from your network. You need to know your network's public IP CIDR block and use that for the firewall.
From the document link that you provided, your network is using two netblocks: 131.193.0.0/16 and 128.248.0.0/16. Verify that the network you are connecting within uses one of these CIDR blocks. Go to any website that supports "What is my IP" such as https://www.whatismyip.com/
Then create a firewall rule specifying:
Direction of traffic: Ingress
Action on match:
Allow Source filter: IP ranges
Source IP ranges: 131.193.0.0/16, 128.248.0.0/16
Protocols and ports: Allow all