Google recently announced that it will start charging fee for external IP addresses attached to VM instances. In addition to that, unless you have a need to expose your instances to the outside directly, it might be best security practice to not attach external IPs to your VMs. Thus from both security and cost perspective, you might not want to attach external IPs to your GCP nodes. But how do you ssh to instances without external IPs?
Luckily GCP provides a service to tunnel to your internal instances with Identity Aware Proxy ( IAP). This means you don’t have to deploy additional ssh jump hosts.
[bash]
gcloud services enable iap.googleapis.com
[/bash]You will need to configure your project’s OAuth consent screen as well – https://cloud.google.com/iap/docs/using-tcp-forwarding#oauth-configure
You might want to tag instances which you want to ssh into with a common tag – say “ssh-node”.
[bash]
gcloud compute firewall-rules create iap-tunnel-rule \
--allow=tcp:22 --source-ranges=35.235.240.0/20 \
--target-tags=ssh-nodes --network=YOUR_VCP_NETWORK
[/bash][bash]
gcloud projects add-iam-policy-binding PROJECT_ID \
--member=user:YOUR_ACCOUNT@EMAIL.COM \
--role=roles/iap.tunnelResourceAccessor
[/bash]SSH to the instance with “–tunnel-through-iap” flag
[bash]
$ gcloud compute ssh linux --zone=us-east1-c --tunnel-through-iap
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 5.0.0-1028-gcp x86_64)
...
System load: 0.0 Processes: 99
Usage of /: 32.4% of 9.52GB Users logged in: 0
Memory usage: 65% IP address for ens4: 10.10.0.9
Swap usage: 0%
...
$ w
16:24:07 up 19 min, 1 user, load average: 0.00, 0.01, 0.02
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
alice pts/0 35.235.241.226 16:23 4.00s 0.04s 0.00s w
[/bash]Note above, the source connecting IP shows as 35.235.241.226, that is with in the CIDR range of the IAP proxy we allowed in the firewall rule.
References
Linux System Admins Journey to Google Cloud Platform As a Linux system administrator, you have…
As a network professional, troubleshooting is a crucial part of your daily routine. To streamline…
The net-tools set of packages had been deprecated years back, although the commands are still…
Re-posting my answer to a Google cloud platform's Google Kubernetes Engine (GKE) related question in…
Recently I was trying to download numerous files from a certain website using a shell…