GCP仅对云外壳开放防火墙 [英] GCP open firewall only to cloud shell

问题描述

GCP中是否有一种方法只允许云外壳显式允许防火墙规则.所有GCP演示和视频都添加了规则，允许22至0.0.0.0/0从云外壳SSH到实例.

Is there a way in GCP to explicitly allow firewall rule only from cloud shell. All the GCP demos and videos add the rule allow 22 to 0.0.0.0/0 to ssh to the instance from cloud shell.

但是有什么方法可以限制仅从云外壳访问-使用云外壳的IP范围还是服务帐户?

However is there a way we could restrict the access only from cloud shell - either using cloud shell's IP range or service account ?

推荐答案

Google不会发布Cloud Shell的公共IP地址范围.

Google does not publish the public IP address range for Cloud Shell.

VPC防火墙规则允许指定源和目标的服务帐户.但是，Cloud Shell不使用服务帐户. Cloud Shell使用登录到Google Cloud Console的人员的身份.这意味着OAuth 2用户凭证. VPC防火墙规则不支持用户凭据.

VPC firewall rules allow specifying the service account of the source and target. However, Cloud Shell does not use a service account. Cloud Shell uses the identity of the person logged into the Google Cloud Console. This means OAuth 2 User Credentials. User Credentials are not supported for VPC Firewall rules.

我的建议是使用TCP转发并通过IAP(身份感知代理)建立SSH隧道. Google通过Cloud SDK CLI轻松实现了这一点.

My recommendation is to use TCP forwarding and tunnel SSH through IAP (Identity Aware Proxy). Google makes this easy in the Cloud SDK CLI.

在Google Cloud Console中打开Cloud Shell.然后运行以下命令:

Open a Cloud Shell in the Google Cloud Console. Then run this command:

gcloud compute ssh NAME_OF_VM_INSTANCE --tunnel-through-iap

这也适用于没有公共IP地址的VM实例.

This also works for VM instances that do not have public IP addresses.

身份识别代理CIDR网络块为35.235.240.0/20.创建一个VPC防火墙规则，该规则允许来自此块的SSH通信.此规则将阻止公共SSH流量，并且仅允许通过Identity Aware代理的授权流量.

The Identity Aware Proxy CIDR netblock is 35.235.240.0/20. Create a VPC Firewall rule that allows SSH traffic from this block. This rule will prevent public SSH traffic and only allow authorized traffic thru Identity Aware Proxy.

这篇关于GCP仅对云外壳开放防火墙的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！