Contributed by Google employees.

Learn how to connect from a browser or the Google SDK to a virtual machine (VM) instance without using an external IP address, a bastion host, or network address translation (NAT).

Creating a virtual machine instance and connecting to it through SSH is a straightforward process in Google Cloud. However, one thing that can make such connections less secure is to use a firewall configuration that leaves the SSH port publicly exposed. If you manage your instances using SSH through the Google Cloud Console or gcloud commands, you can create a firewall rule that allows access only from Google Cloud Identity-Aware Proxy (IAP) IP address ranges.

1. Create a Compute Engine VM instance.

2. Connect to the VM instance using the SSH button in the Cloud Console.

   

3. Find the SSH client IP address connected to the instance:

   env | grep SSH_CLIENT
   

   

   The client IP address in the SSH connection will be part of the range 35.235.240.0/20. This range is the pool of IP addresses used by IAP to proxy the connection from your browser to your instance. So, you can create a more restrictive VPC firewall rule allowing SSH connections only from this IP address range. As a result, only users allowed by IAP will be able to connect to VM using SSH.

4. If you are using the default VPC network, remove the firewall rule default-allow-ssh, and create a new restrictive SSH firewall rule with the settings shown in the following image:

   

What's next

• Learn more about Identity-Aware Proxy.
• Try out other Google Cloud features for yourself. Have a look at our tutorials.