Enable ssh from GCP browser via IAP while restricting ssh with GCE firewall

※I turned my Japanese articles written in Qiita into English.

Japanese:https://qiita.com/henatyokotraveler/items/ada9c45ca4518ab3b726

Thing I want to do

From the environment of the ssh restricted NW, I cannot access the server on the cloud.
In such an environment, the ssh function from the GCP browser is useful.
The GCE WEB terminal can be started from the GCP console screen.
I really like this feature of GCP.

[Official image]

A note about when you want to limit ssh to the server in your security policy.

When I checked it before(※)
The only way was to narrow it down to Google’s public SPF records.

※https://henatyokotraveler.medium.com/enable-ssh-from-gcp-browser-while-restricting-ssh-with-gce-firewall-6296c28230d5

Recently, when I opened the GCP WEB terminal for the first time in a long time, I was guided by a pop-up and learned that a nice method was added.

Overview

Official way : https://cloud.google.com/iap/docs/using-tcp-forwarding

There are only two things to do.
・Allow the IP address of the IAP
・Grant [IAP-protected tunnel user] permission in IAM

Allow IP address of IAP

The IP range allowed by the FW rule is ingress from 35.235.240.0/20.
The ports are SSH port 22 and RDP port 3389.

It’s more limited than Google’s public SPF records and
I feel relieved to think that IAM restrictions are also applied with the following settings.

Grant “IAP-Secured Tunnel User” privileges in IAM

Only grant the members who use the web terminal the role of “IAP-Secured Tunnel User”.

Impressions

I wanted to solve this kind of problem, so it’s very smart.