Jump to Content
Security & Identity

Cloud IAP enables context-aware access to VMs via SSH and RDP without bastion hosts

August 7, 2019
Christiaan Brand

Product Manager

Ever since 2011, we’ve been leveraging the BeyondCorp security model (also known as zero trust) to protect access to our internal resources. In the past few years, we’ve made it easier for you to adopt the same model for your apps, APIs, and infrastructure through context-aware access capabilities that are natively built into our cloud platform. 

This January, we enhanced context-aware access capabilities in Cloud Identity-Aware Proxy (IAP) to help you protect SSH and RDP access to your virtual machines (VMs)—without needing to provide your VMs with public IP addresses, and without having to set up bastion hosts. This capability is now generally available for all customers.

Context-aware access: High-level architecture

Context-aware access allows you to define and enforce granular access policies for apps and infrastructure based on a user’s identity and the context of their request. This can help strengthen your organization’s security posture while giving users an easier way to access apps or infrastructure resources without using a VPN client, from virtually any device, anywhere. 

With the general availability of context-aware access in Cloud IAP for SSH and RDP, you can now control access to VMs based on a user’s identity and context (e.g. device security status, location, etc). In addition, VMs protected by Cloud IAP don’t require any changes and no separate infrastructure deployment—simply configure IAP and access to your VM instance is automatically protected with a planet-scale load balancer, complete with DDoS protection, TLS termination, and context-aware access controls.

One of our partners, Palo Alto Networks, has been using this capability to protect access to their cloud workloads. “Customers trust us with their data, so keeping it secure is our number one goal," says Karan Gupta, SVP, Application Framework. "Context-aware access in combination with Palo Alto Networks endpoint protection enables us to control access to our infrastructure deployed in GCP following zero trust principles, helping to secure our public cloud workloads while making our work easier and keeping our costs low."

How it works

Imagine you want to allow SSH access to VMs for a group of users in GCP. You can use Cloud IAP to enable access without exposing any services directly to the Internet simply by configuring its TCP forwarding feature.

The Cloud IAP admin experience

This is how it works: When a user runs SSH from the gcloud command-line tool, SSH traffic is tunneled over a TLS connection to Cloud IAP, which applies any relevant context-aware access policies. If access is allowed, the tunneled SSH traffic is transparently forwarded to the VM instance. SSH encryption happens end-to-end from gcloud command-line tool to the target VM--Cloud IAP does not terminate the SSH connection; it only forwards traffic as permitted by the access policies. Remote Desktop Protocol (RDP) works similarly. As an administrator, all you have to do is configure access to the VM instances from the Cloud IAP IP subnet; your VM instances don’t need public IP addresses or dedicated bastion hosts. 

Beyond SSH, it’s also possible to set up "port forwarding" style access to any fixed TCP port on your VMs via Cloud IAP for access from the administrator's client machine (for example, access to a SQL database for admin operations). 

Getting started

Controlling SSH and RDP access to VMs with Cloud IAP brings context-aware access to your backend systems. To get started, navigate to the admin console, check out the documentation for step-by-step instructions, and read our new guide on establishing internet connectivity for private VMs. 

You can also use a plugin for Microsoft’s Remote Desktop Connection Manager that adds "Connect server via Cloud IAP" option to the context menu, making it easier to connect to your Windows VMs in GCP.

Posted in