Utilizing GCP’s Identity Aware Proxy to SSH into Internal-IP only VM’s
Overview:
I will be going over Google’s Identity Aware Proxy service(IAP), which is a fully managed solution for implementing a zero-trust model on multiple GCP resources including Compute Engine. Demo will include creating a VM, enabling the IAP API to tunneling through to a VM that doesn’t have an external IP address!
Zero-Trust:
Google Defines zero trust as :
“A zero trust network is one in which no person, device, or network enjoys inherent trust. All trust, which allows access to information, must be earned, and the first step of that is demonstrating valid identity. A system needs to know who you are, confidently, before it can determine what you should have access to. Add to that the understanding of what you can access–authorization–and you’ve got the core foundation of zero trust security.”
More about Google vision on zero-trust can be found here
How does IAP work?
IAP shifts away from isolating apps and VMs at the network layer (a traditional tool would be using a VPN), to managing and centralizing authorization at the application layer using HTTPS.
Identity Aware Proxy (IAP) setup:
VM creation:
I created a VM called “iap-demo” without an external IAP address using the following gcloud command.
gcloud compute instances create iap-demo — project=$projectID — zone=us-central1-a — machine-type=f1-micro — network-interface=subnet=default,no-address
By running the gcloud compute instances list command I verified the VM is created without an external IP address.
Enabling Identity Aware Proxy (IAP) API:
Navigating to the IAP API, I simply enabled the API from the cloud console.
Heading back to IAP service I am presented with HTTPS resources or SSH/TCP resources. Selecting the SSH/TCP option I see the VM I have created earlier in the demo with an “error” icon next to it.
IAP firewall creation:
Since IAP wraps the SSH connection with HTTPS, a firewall rule is still needed to be created. At the time of writing this GCP needs the following Source IP range/ Allowed protocols for IAP to work.
I created the firewall rule using the following gcloud command.
gcloud compute — project=$projectID firewall-rules create iap-fw — direction=INGRESS — priority=1000 — network=default — action=ALLOW — rules=tcp — source-ranges=35.235.240.0/20
After creating the firewall rule I navigated back the the IAP service where I no longer see an error message and see the green OK message.
Connecting to the VM:
Now that I have created an Internal-IP only VM, enabled the IAP API, and created firewall rule required to use IAP, I can now connect to the VM without the need of an external IP address by running the following gcloud command.
gcloud compute ssh iap-demo — zone us-central1-a — tunnel-through-iap
Notice the error, I have setup the VM to utilize the IAP and created the firewall rule for it to work. What I have not done yet is authorize the user to connect to the VM. This is achieved with GCP IAM by granting the role roles/iap.tunnelResourceAccessor . After adding the role that authorizes the user to connect I re-run the above command and connect successfully!
FIN!
GCP’s IAP is a very powerful tool with many other features. I hope this quick demo on how you can utilize IAP to connect to a VM without the need of an external IP has been helpful. This can be done at scale on managed instance groups and even GKE nodes.
Bio: Jake has been in IT for 5 years and is currently a Cloud Security Engineer. He currently holds CompTIA S+, Google’s ACE , Google’s PCA, Google’s PCSE, and Terraform associate certifications!
