This gist
does not cover firewall rule logging FYI.
- Require use of IAP to access via
gcloud ssh
I.E, here - Create a firewall rule allowing port 22/ssh only from IAP CIDR:
35.235.240.0/20
- Set rule destination to explicitly list the networks or network tags (note: don't confuse with IAM tags) or service account (the compute SA attached to instance) you want to opt-in for remote access
- Use the "Secondary source" option (which is OR, not AND) with tags as well to allow specific machine-to-machine access if needed (of just define another rule) Using tags is a reasonable way to externalize the attribute to allow access.
For info on tags, tags
can be used for firewall, and also used for some conditional IAM bindings as well. There's a security/IAM model on the lifecycle of managing tags on instances.
There's an older concept of "Network Tags
" which predates the secured/lifecycle-controlled IAM Tags, so for a distinction, check here
IAM Tags top, Network Tags bottom. VPC Firewall rules is what you are probably looking at so it's the bottom one.
- By default, when creating a
compute
resource within GCP, it is assigned the default
(default) VPC network- This allows ingress SSH (
tcp dport 22
) among some other unwanted rules from a Security perspective- I recommend using and creating custom networks, but for the HLO of this GIST:
1. Enable and spin-up the IAP (Identity Aware Proxy) API and service in the GCP project (e.g [here](https://cloud.google.com/iap/docs/enabling-compute-howto))~~
- Enable the
gcloud SDK
and authenticate (I.E Install the gcloud CLI) from your local machine/terminal2. Remove the default associated Firewall Rules
~~3. Create an ingress Firewall Rule for Google IAP Ranges (See Set up IAP TCP forwarding with an IP address or hostname in a Google Cloud or non-Google Cloud environment)
~- I.E 35.235.240.0/20
~~~
- Specify the
dstip
with associated tags for target remote resources or VPC networks associated with the VPC network where you will be deploying the compute
instances, I.E us-central-1
- SSH to the VM using gcloud sdk
, I.E here