GCP open firewall only to cloud shell

Asked 14/7, 2019 at 1:59 Answered 17/7, 2019 at 4:6

Solved google-cloud-platform google-compute-engine google-cloud-shell

Is there a way in GCP to explicitly allow firewall rule only from cloud shell. All the GCP demos and videos add the rule allow 22 to 0.0.0.0/0 to ssh to the instance from cloud shell.

However is there a way we could restrict the access only from cloud shell - either using cloud shell's IP range or service account ?

Coleencolella answered 14/7, 2019 at 1:59 Comment(6)

Does your instance have a public IP address or only a private IP address? – Manzanares 14/7, 2019 at 4:40

let's say both ... Also - i thought Cloud Shell can be used only with public IP address ? – Coleencolella 14/7, 2019 at 4:43

I am asking about the VM that you want to connect to from Cloud Shell. You have no control over the addressing (public/private) of Cloud Shell. If your VM has only a private IP address, I know how to configure a secure solution. – Manzanares 14/7, 2019 at 4:45

Sure - care to share your secure solution, please ? – Coleencolella 14/7, 2019 at 4:47

My answer supports VM instances with public IP or just private IP addresses. I just had to find the netblock for IAP to post the answer for both. cloud.google.com/iap/docs/using-tcp-forwarding – Manzanares 14/7, 2019 at 4:56

Thank you - @JohnHanley. Appreciate your answer. – Coleencolella 14/7, 2019 at 4:56

Google does not publish the public IP address range for Cloud Shell.

VPC firewall rules allow specifying the service account of the source and target. However, Cloud Shell does not use a service account. Cloud Shell uses the identity of the person logged into the Google Cloud Console. This means OAuth 2 User Credentials. User Credentials are not supported for VPC Firewall rules.

My recommendation is to use TCP forwarding and tunnel SSH through IAP (Identity Aware Proxy). Google makes this easy in the Cloud SDK CLI.

Open a Cloud Shell in the Google Cloud Console. Then run this command:

gcloud compute ssh NAME_OF_VM_INSTANCE --tunnel-through-iap

This also works for VM instances that do not have public IP addresses.

The Identity Aware Proxy CIDR netblock is 35.235.240.0/20. Create a VPC Firewall rule that allows SSH traffic from this block. This rule will prevent public SSH traffic and only allow authorized traffic thru Identity Aware Proxy.

Manzanares answered 14/7, 2019 at 4:53 Comment(4)

Good answer, but the update isn't correct. IAP TCP forwarding only uses the 35.235.240.0/20 IP range. If you see 74.125.189.128/25 it must be from something else. One possibility is that you're using SSH from the Browser's regular servers, which have no guaranteed IP range. When you use SSH from the Browser to a VM with a public IP, it uses the regular servers. When you use SSH from the Browser to a VM without a public IP, it uses IAP TCP forwarding (and thus the 35.235.240.0/20 IP range). – Glassy 13/9, 2019 at 23:4

@KeganThorrez - Thank you. I cannot confirm my update so I deleted that part. – Manzanares 15/9, 2019 at 16:42

cloud shell has other feature like now cloud shell editor. Can cloud shell and cloud shell editor make iap connections? – Wenda 30/10, 2020 at 19:46

@Wenda - I do not know the answer for Cloud Shell Editor. I believe Editor only supports local files within the Cloud Shell VM. I recommend that you create a new question on Editor. – Manzanares 30/10, 2020 at 20:39

Google has published the detailed info in this article - Configuring secure remote access for Compute Engine VMs

From the admin console, click Security then select Identity-Aware Proxy.

If you haven’t used Cloud IAP before, you’ll need to configure the oAuth screen:

Configure the consent screen to only allow internal users in your domain, and click Save.

Next, you need to define users who are allowed to use Cloud IAP to connect remotely. Add a user to the “IAP-secured Tunnel User” role on the resource you’d like to connect to.

Then, connect to the machine via the ssh button in the web UI or gcloud.

When using the web UI, notice the URL parameter useAdminProxy=true.

Tip: If you don’t have gcloud installed locally, you can also use Cloud Shell:

gcloud beta compute ssh {VM-NAME}  --tunnel-through-iap

You should now be connected! You can verify that you don’t have internet connectivity by attempting to ping out. 8.8.8.8 (Google’s Honest DNS) is a good address to try this with.

Coleencolella answered 17/7, 2019 at 4:6 Comment(1)

This is a good answer to how to control SSH access. However, your answer does not answer the question "access only to Cloud Shell". Using IAP you can control the Identity that is allowed access, but not the location of that an Identity (which is the IAP design objective). I recommend creating a new question that you answer as IAP is an excellent example of Identity Based Access Control. – Manzanares 17/7, 2019 at 18:19

Recommended topics

Hot tags