Gads

GCP – ssh to instances without external IP

0 cloud, GCP, Linux,

How to connect with ssh to Google Cloud Platform VM instances without external IP addresses

Google recently announced that it will start charging fee for external IP addresses attached to VM instances. In addition to that, unless you have a need to expose your instances to the outside directly, it might be best security practice to not attach external IPs to your VMs. Thus from both security and cost perspective, you might not want to attach external IPs to your GCP nodes. But how do you ssh to instances without external IPs?

Luckily GCP provides a service to tunnel to your internal instances with Identity Aware Proxy ( IAP). This means you don’t have to deploy additional ssh jump hosts.

Enable IAP

You will need to configure your project’s OAuth consent screen as well – https://cloud.google.com/iap/docs/using-tcp-forwarding#oauth-configure

Configure firewall rules

You might want to tag instances which you want to ssh into with a common tag – say “ssh-node”.

Grant permissions

Connect

SSH to the instance with “–tunnel-through-iap” flag

Note above, the source connecting IP shows as 35.235.241.226, that is with in the CIDR range of the IAP proxy we allowed in the firewall rule.

References

https://cloud.google.com/iap/docs/using-tcp-forwarding

https://blog.doit-intl.com/gcp-announces-no-more-free-external-ips-estimate-your-future-costs-11bd3a8193cc

Tags: , , ,

Related posts

  • GCP GKE – run kubectl through bastion host

    GCP GKE – run kubectl through bastion host

  • Terraform – show logging

    Terraform – show logging

About The Author

Leave a Reply

Your email address will not be published. Required fields are marked *