Google Cloud, iap, proxy, identity

Private instances access without an bastion host on GCP

chefbc
It's me... It's me... It's me ChefBC!
More posts by chefbc.

chefbc

22 Jan 2021•2 min read

Private instances access without an bastion host on GCP

Identity-Aware Proxy is a managed service that can control the access to your VM without an bastion host.

alt text

Enabling IAP tunneling by adding ingress firewall rule from IAP’s forwarding netblock.

For SSH access:

gcloud compute firewall-rules create allow-ssh-ingress-from-iap \
  --direction=INGRESS \
  --action=allow \
  --rules=tcp:22 \
  --source-ranges=35.235.240.0/20

For other protocols (PORT based on protocol):

gcloud compute firewall-rules create allow-ingress-from-iap \
  --direction=INGRESS \
  --action=allow \
  --rules=tcp:PORT \
  --source-ranges=35.235.240.0/20

IAP tunneling can be enforced via IAM permissions. (Grant the iap.tunnelResourceAccessor role to the user):

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member=user:EMAIL \
    --role=roles/iap.tunnelResourceAccessor

Access via “gcloud compute ssh” command with the “tunnel-though-iap” flag to connect to an instance.

gcloud compute ssh my-instance \
--tunnel-through-iap

Access via local port forwarding.

gcloud compute ssh  my-instance \
--tunnel-through-iap \
--ssh-flag="-N -L 3306:localhost:3306"

Private instances access without an bastion host on GCP

chefbc

chefbc

References

Format and Mount Disk on GCP Instance