This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

IAP access privately

Posted on 01-05-2024 12:52 AM
abhishek-wings
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi all, with IAP access, you can leverage access to private IP VMs that are not attached to external IPs. You can access them through the IAP browser or desktop app.

Prerequisites

1. VPC required NAT gateway.

2. Ingress Firewall rule required to add.

35.235.240.0/20, 35.191.0.0/16, allow all IP, Port 22, 3389   

Solved Solved
1 4 1,617
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
alexmoore
Staff
Reply posted on --/--/---- --:-- AM

IAP is a great service for exactly this use case, just a couple of small points to add.

You don't actually need a NAT gateway to use IAP, of course if you need your private VMs to access the internet then NAT gateway can be used for that, but to use IAP itself it is not required.

You do need an ingress firewall rule, but for IAP only the 35.235.240.0/20 IP range is required, the second range you specify 35.191.0.0/16 is related to Load Balancer healthchecks and is not needed for IAP.

You suggest "allow all IP", certainly that will work, but generally I prefer to restrict this to a specific network tag or resource manager tag based firewall rule, to ensure you are explicitly granting remote access to systems that require it - for example a bastion host.

Finally you reference port 22 and 3389...again you could be more granular here, for example allowing 22 (i.e. SSH) only for linux based systems and 3389 (i.e. RDP) for windows based systems depending on requirements - with different tags for each.

Just some thoughts, hope that helps.

 

View solution in original post

Jump to Solution
4 REPLIES 4

Posted on --/--/---- --:-- AM
alexmoore
Staff
Reply posted on --/--/---- --:-- AM

IAP is a great service for exactly this use case, just a couple of small points to add.

You don't actually need a NAT gateway to use IAP, of course if you need your private VMs to access the internet then NAT gateway can be used for that, but to use IAP itself it is not required.

You do need an ingress firewall rule, but for IAP only the 35.235.240.0/20 IP range is required, the second range you specify 35.191.0.0/16 is related to Load Balancer healthchecks and is not needed for IAP.

You suggest "allow all IP", certainly that will work, but generally I prefer to restrict this to a specific network tag or resource manager tag based firewall rule, to ensure you are explicitly granting remote access to systems that require it - for example a bastion host.

Finally you reference port 22 and 3389...again you could be more granular here, for example allowing 22 (i.e. SSH) only for linux based systems and 3389 (i.e. RDP) for windows based systems depending on requirements - with different tags for each.

Just some thoughts, hope that helps.

 

Jump to Solution

Posted on --/--/---- --:-- AM
abhishek-wings
Bronze 2
Bronze 2
In response to alexmoore
Reply posted on --/--/---- --:-- AM

HI,

You suggest "allow all IP", certainly that will work, but generally I prefer to restrict this to a specific network tag or resource manager tag based firewall rule, to ensure you are explicitly granting remote access to systems that require it - for example a bastion host.

Yes, you are correct. I am allowing full access because it's a private setting. However, we can configure it to allow access through Single Sign-On (SSO) ID for logging into the GCP console. This will restrict access to individuals with specific permissions, allowing them to access the VM through the organization ID. Just considering a broader perspective.

The permissions include IAP Secured Tunnel User, Compute OS Login, Service Account User, and Compute Viewer.

Jump to Solution

Posted on --/--/---- --:-- AM
lunaysor
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hola
Actualmente, conecté, me conecto y realizo pruebas de conexión una instancia en GCP por medio de IAP previamente con una cuenta de servicio y también por  usuario.  Dichas pruebas resultan exitosas realizando por medio del comando: gcloud compute ssh MI-INSTANCIA --zone=us-central1-a --tunnel-through-iap.

En reglas  de IAM  tengo como condiciones la conexión vía SSH, no cuento con IP externa, solo la interna y quiero que la conexión que efectúe por la terminal me deje efectuarla con Remote SSH y VS Code. 

Me podrían guiar alguien por favor para saber  que otra configuración debería tomar en cuenta para poder lograr la conexión por VS Code y SHH.

Espero me puedan apoyar.

Gracias.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
FrancoGP
Silver 1
Silver 1
In response to lunaysor
Reply posted on --/--/---- --:-- AM

Hi @lunaysor ,

Welcome to Google Cloud Community!
In this post you'll find the specific answer you are looking for, how to use IAP with VScode

Good Luck!

Jump to Solution
0 Likes
Top Labels in this Space
Top Solution Authors
View all