How to connect with ssh to Google Cloud Platform VM instances without external IP addresses
Google recently announced that it will start charging fee for external IP addresses attached to VM instances. In addition to that, unless you have a need to expose your instances to the outside directly, it might be best security practice to not attach external IPs to your VMs. Thus from both security and cost perspective, you might not want to attach external IPs to your GCP nodes. But how do you ssh to instances without external IPs?
Luckily GCP provides a service to tunnel to your internal instances with Identity Aware Proxy ( IAP). This means you don’t have to deploy additional ssh jump hosts.
[bash] gcloud services enable iap.googleapis.com [/bash]
You will need to configure your project’s OAuth consent screen as well – https://cloud.google.com/iap/docs/using-tcp-forwarding#oauth-configure
Configure firewall rules
You might want to tag instances which you want to ssh into with a common tag – say “ssh-node”.
[bash] gcloud compute firewall-rules create iap-tunnel-rule \ --allow=tcp:22 --source-ranges=188.8.131.52/20 \ --target-tags=ssh-nodes --network=YOUR_VCP_NETWORK [/bash]
[bash] gcloud projects add-iam-policy-binding PROJECT_ID \ --member=user:[email protected] \ --role=roles/iap.tunnelResourceAccessor [/bash]
SSH to the instance with “–tunnel-through-iap” flag
[bash] $ gcloud compute ssh linux --zone=us-east1-c --tunnel-through-iap Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 5.0.0-1028-gcp x86_64) ... System load: 0.0 Processes: 99 Usage of /: 32.4% of 9.52GB Users logged in: 0 Memory usage: 65% IP address for ens4: 10.10.0.9 Swap usage: 0% ... $ w 16:24:07 up 19 min, 1 user, load average: 0.00, 0.01, 0.02 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT alice pts/0 184.108.40.206 16:23 4.00s 0.04s 0.00s w [/bash]
Note above, the source connecting IP shows as 220.127.116.11, that is with in the CIDR range of the IAP proxy we allowed in the firewall rule.