Gads

GCP – ssh to instances without external IP

How to connect with ssh to Google Cloud Platform VM instances without external IP addresses


Google recently announced that it will start charging fee for external IP addresses attached to VM instances. In addition to that, unless you have a need to expose your instances to the outside directly, it might be best security practice to not attach external IPs to your VMs. Thus from both security and cost perspective, you might not want to attach external IPs to your GCP nodes. But how do you ssh to instances without external IPs?

Luckily GCP provides a service to tunnel to your internal instances with Identity Aware Proxy ( IAP). This means you don’t have to deploy additional ssh jump hosts.

Enable IAP

[bash]
gcloud services enable iap.googleapis.com
[/bash]

You will need to configure your project’s OAuth consent screen as well – https://cloud.google.com/iap/docs/using-tcp-forwarding#oauth-configure

Configure firewall rules

You might want to tag instances which you want to ssh into with a common tag – say “ssh-node”.

[bash]
gcloud compute firewall-rules create iap-tunnel-rule \
--allow=tcp:22 --source-ranges=35.235.240.0/20 \
--target-tags=ssh-nodes  --network=YOUR_VCP_NETWORK
[/bash]

Grant permissions

[bash]
gcloud projects add-iam-policy-binding PROJECT_ID \
   --member=user:[email protected] \
   --role=roles/iap.tunnelResourceAccessor
[/bash]

Connect

SSH to the instance with “–tunnel-through-iap” flag

[bash]
$ gcloud compute ssh linux --zone=us-east1-c --tunnel-through-iap
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 5.0.0-1028-gcp x86_64)
...
  System load:  0.0               Processes:           99
  Usage of /:   32.4% of 9.52GB   Users logged in:     0
  Memory usage: 65%               IP address for ens4: 10.10.0.9
  Swap usage:   0%
...

$ w
 16:24:07 up 19 min,  1 user,  load average: 0.00, 0.01, 0.02
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
alice   pts/0    35.235.241.226   16:23    4.00s  0.04s  0.00s w

[/bash]

Note above, the source connecting IP shows as 35.235.241.226, that is with in the CIDR range of the IAP proxy we allowed in the firewall rule.


References

https://cloud.google.com/iap/docs/using-tcp-forwarding

https://blog.doit-intl.com/gcp-announces-no-more-free-external-ips-estimate-your-future-costs-11bd3a8193cc

Leave a Reply

Your email address will not be published. Required fields are marked *