GCP 仅对云外壳开放防火墙 [英] GCP open firewall only to cloud shell

问题描述

GCP 中是否有一种方法可以明确允许仅来自 Cloud Shell 的防火墙规则.所有的 GCP 演示和视频都添加了规则 allow 22 to 0.0.0.0/0 to ssh to the instance from cloud shell.

Is there a way in GCP to explicitly allow firewall rule only from cloud shell. All the GCP demos and videos add the rule allow 22 to 0.0.0.0/0 to ssh to the instance from cloud shell.

但是，有没有一种方法可以限制我们只能从 cloud shell 访问 - 使用 cloud shell 的 IP 范围或服务帐户?

However is there a way we could restrict the access only from cloud shell - either using cloud shell's IP range or service account ?

推荐答案

Google 未发布 Cloud Shell 的公共 IP 地址范围.

Google does not publish the public IP address range for Cloud Shell.

VPC 防火墙规则允许指定源和目标的服务帐户.但是，Cloud Shell 不使用服务帐号.Cloud Shell 使用登录 Google Cloud Console 的人员的身份.这意味着 OAuth 2 用户凭证.VPC 防火墙规则不支持用户凭证.

VPC firewall rules allow specifying the service account of the source and target. However, Cloud Shell does not use a service account. Cloud Shell uses the identity of the person logged into the Google Cloud Console. This means OAuth 2 User Credentials. User Credentials are not supported for VPC Firewall rules.

我的建议是通过 IAP(身份感知代理)使用 TCP 转发和隧道 SSH.Google 在 Cloud SDK CLI 中让这一切变得简单.

My recommendation is to use TCP forwarding and tunnel SSH through IAP (Identity Aware Proxy). Google makes this easy in the Cloud SDK CLI.

在 Google Cloud Console 中打开 Cloud Shell.然后运行这个命令:

Open a Cloud Shell in the Google Cloud Console. Then run this command:

gcloud compute ssh NAME_OF_VM_INSTANCE --tunnel-through-iap

这也适用于没有公共 IP 地址的 VM 实例.

This also works for VM instances that do not have public IP addresses.

身份感知代理 CIDR 网络块是 35.235.240.0/20.创建允许来自此块的 SSH 流量的 VPC 防火墙规则.此规则将阻止公共 SSH 流量，只允许通过身份识别代理的授权流量.

The Identity Aware Proxy CIDR netblock is 35.235.240.0/20. Create a VPC Firewall rule that allows SSH traffic from this block. This rule will prevent public SSH traffic and only allow authorized traffic thru Identity Aware Proxy.

这篇关于GCP 仅对云外壳开放防火墙的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！