Goal
Provide secure access to a Google Cloud Platform GCE instance without setting up a bastion host.
Prerequisites
- Google Cloud tools installed on the development workstation
- GCP project with at least one network
- Project permissions to manage firewall rules and compute engine instances
- Microsoft Remote Desktop client
Process
In your project, the first step will be to create a firewall rule to allow Cloud IAP to access the compute resources in your project.
Execute the following gcloud command to create a firewall rule allowing SSH (22) and RDP (3389) traffic to our compute engine instances.
gcloud compute --project=iap-test-258815 \
firewall-rules create allow-iap-ssh-rdp --direction=INGRESS \
--priority=500 --network=primary --action=ALLOW --rules=tcp:22,tcp:3389 \
--source-ranges=35.235.240.0/20
Note: This allows IAP to connect to all instances on the network. An enhancement would be to further limit connection to specific tags/service accounts.
Verify the IAP Service is enabled in your project.
gcloud services enable iap.googleapis.com
Deploy a Linux VM in your project on the same network for which you created the firewall rules, specifically without a public IP address.
gcloud compute instances create linux --zone=us-central1-a \
--machine-type=n1-standard-1 --subnet=primary-us-central-1 \
--no-address --maintenance-policy=MIGRATE --no-service-account \
--no-scopes --image=debian-9-stretch-v20191014 \
--image-project=debian-cloud --boot-disk-size=10GB \
--boot-disk-type=pd-standard --boot-disk-device-name=linux \
--reservation-affinity=any
Deploy a Windows VM in your project, also on the same network and without a public IP address.
gcloud beta compute instances create windows --zone=us-central1-a \
--machine-type=n1-standard-1 --subnet=primary-us-central-1 \
--no-address --maintenance-policy=MIGRATE --no-service-account \
--no-scopes --image=windows-server-2016-dc-v20191008 \
--image-project=windows-cloud --boot-disk-size=50GB \
--boot-disk-type=pd-standard --boot-disk-device-name=windows \
--reservation-affinity=any
Validate your network. On the navigation menu, select the Identity-Aware Proxy dashboard. Under SSH and TCP RESOURCES, verify that the configurations of the two newly deployed VMs are marked as OK.
Browse to the VM instances in the GCP console.
Select an option for the Linux VM.
- Click on the SSH button to automatically detect the IAP configuration. The browser-based SSH terminal will connect automatically.
- Start a desktop SSH session by entering this command:
gcloud compute ssh linux
It will detect the lack of an external IP and automatically switch to the IAP tunnel to establish a connection.
Connect to the Windows VM.
For the Windows VM, the RDP button is disabled without an external IP address; a desktop-based RDP client is required.
- Click on the Windows server instance to enter the details window in the GCP console.
- Click on the Set Windows Password button to reset your password, taking note of the new password for later use.
- Create an IAP tunnel to the remote instance from your workstation with the following command:
gcloud compute start-iap-tunnel windows 3389 --local-host-port=127.0.0.1:3389
A successful connection will display Listening on port [3389]. - Add a new remote desktop connection using the host/pc name of 127.0.0.1, the localhost address used in the previous gcloud command.
- Set the remote desktop settings to your personal preferences.
Launch the remote desktop.
Enter your username and password created earlier.
Outcome
Within a few minutes, you have deployed a secure means of tunneling directly to Linux and Windows VMs without having to set up or maintain bastion/jump hosts.
As cool as our bastion-less configuration is, there are still some cases to be made for the pattern. In a future post, we will extend Cloud IAP with jump hosts to allow us to securely access private Google Kubernetes Engine clusters and private Cloud SQL instances.
Comments
0 comments
Please sign in to leave a comment.