Enable ssh from GCP browser while restricting ssh with GCE firewall

※I turned Japanese articles written in Qiita into English.

Japanese:https://qiita.com/henatyokotraveler/items/bbecf262917a3ea53fdc

Recently I’ve noticed a better way.
The article is here.

https://henatyokotraveler.medium.com/enable-ssh-from-gcp-browser-via-iap-while-restricting-ssh-with-gce-firewall-5683172c3a49

Thing I want to do

From the environment of the ssh restricted NW, I cannot access the server on the cloud.
In such an environment, the ssh function from the GCP browser is useful.
The GCE WEB terminal can be started from the GCP console screen.
I really like this feature of GCP.

[Official image]

However, this function requires ssh permission and public IP grant.
A memo when you need to restrict ssh to the server in your security policy, but want to use ssh from the GCP browser as an access route.

Ssh condition from GCP browser

The function of ssh from the browser of GCP, but if you try to restrict external SSH with the firewall of GCE, or if the node does not have a public IP address that can be accessed from the global, it can not be accessed.

The reasons are as follows
Official excerpt from https://cloud.google.com/compute/docs/ssh-in-browser?hl=jacx

-No firewall rules allow SSH access on the port. SSH access on port 22 is enabled by default on all Compute Engine instances. If you have disabled access, SSH from the browser will not work. If you run sshd on a port other than 22, you must use a custom firewall rule to enable access to that port.

-A firewall rule that allows SSH access is enabled, but is not configured to allow connections from the GCP Console service. The source IP address for browser-based SSH sessions is dynamically assigned by the GCP Console and can vary from session to session. In order for this feature to work, you can connect from any IP address or use the Google Public SPF Record (https://support.google.com/a/answer/60764?hl=en) You must allow connections from the IP address range.

Make public SPF record an allowed IP

[Public SPF record] (https://support.google.com/a/answer/60764?hl=en) as of September 3, 2019 is as follows.

_netblocks.google.com
> nslookup -q = TXT _netblocks.google.com 8.8.8.8
“v=spf1 ip4:35.190.247.0/24 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177. 8.0/21 ip4:173.194.0.0/16 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all “
_netblocks2.google.com
> nslookup -q = TXT _netblocks2.google.com 8.8.8.8
“v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all “
_netblocks3.google.com
> nslookup -q = TXT _netblocks3.google.com 8.8.8.8
"v=spf1 ip4:172.217.0.0/19 ip4:172.217.32.0/20 ip4:172.217.128.0/19 ip4:172.217.160.0/20 ip4:172.217.192.0/19 ip4:108.177.96.0/19 ip4:35.191.0.0/16 ip4:130.211.0.0/22 ​​~all “

Allow the above _netblocks.google.com segment and the _netblocks3.google.com segment to ssh allowed in GCE firewall rules.
* IPv6 is not required because it is not supported by GCE
([Official: IPv6 is disabled because it is not yet supported on Compute Engine] (https://cloud.google.com/compute/docs/images?hl=JA))

Comments

With the above measures,

• Wide range of IPs allowed
• Nodes without public IP must use a Bastion server that can ssh the browser
• Public SPF record may have changed suddenly

Such a place remains, and there is no feeling that it has been completely solved.

GCE is SSH-enabled by default (restricts external access with key authentication).
I think it’s based on BeyondCorp thinking (https://cloud.google.com/beyondcorp/)

I’d like to be able to use ssh from the browser, not from global, but from GCP private, or at least narrow the range of allowed IPs.