Skip to content

Instantly share code, notes, and snippets.

@GangGreenTemperTatum

GangGreenTemperTatum/gcp_compute_firewalls.md

Last active June 21, 2023 19:48
Show Gist options
  • Save GangGreenTemperTatum/c97541f0fe89731d36fa58060329f7e8 to your computer and use it in GitHub Desktop.
Save GangGreenTemperTatum/c97541f0fe89731d36fa58060329f7e8 to your computer and use it in GitHub Desktop.
Download ZIP
Best Practice for Securing GCP `compute` Resources via SSH
Raw
gcp_compute_firewalls.md

Best Practice for Securing GCP compute Resources via SSH

This gist does not cover firewall rule logging FYI.

  1. Require use of IAP to access via gcloud ssh I.E, here
  2. Create a firewall rule allowing port 22/ssh only from IAP CIDR: 35.235.240.0/20
  3. Set rule destination to explicitly list the networks or network tags (note: don't confuse with IAM tags) or service account (the compute SA attached to instance) you want to opt-in for remote access
  4. Use the "Secondary source" option (which is OR, not AND) with tags as well to allow specific machine-to-machine access if needed (of just define another rule) Using tags is a reasonable way to externalize the attribute to allow access.

For info on tags, tags can be used for firewall, and also used for some conditional IAM bindings as well. There's a security/IAM model on the lifecycle of managing tags on instances.

There's an older concept of "Network Tags" which predates the secured/lifecycle-controlled IAM Tags, so for a distinction, check here

IAM Tags top, Network Tags bottom. VPC Firewall rules is what you are probably looking at so it's the bottom one.

image

- By default, when creating a compute resource within GCP, it is assigned the default (default) VPC network - This allows ingress SSH (tcp dport 22) among some other unwanted rules from a Security perspective - I recommend using and creating custom networks, but for the HLO of this GIST: 1. Enable and spin-up the IAP (Identity Aware Proxy) API and service in the GCP project (e.g [here](https://cloud.google.com/iap/docs/enabling-compute-howto))~~ - Enable the gcloud SDK and authenticate (I.E Install the gcloud CLI) from your local machine/terminal 2. Remove the default associated Firewall Rules ~~3. Create an ingress Firewall Rule for Google IAP Ranges (See Set up IAP TCP forwarding with an IP address or hostname in a Google Cloud or non-Google Cloud environment) ~- I.E 35.235.240.0/20~~~ - Specify the dstip with associated tags for target remote resources or VPC networks associated with the VPC network where you will be deploying the compute instances, I.E us-central-1 - SSH to the VM using gcloud sdk, I.E here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment