Edit on GitHub
Report issue
Page history

Restrict SSH connections to virtual machine instances with Identity-Aware Proxy

Author(s): @erikesouza-google ,   Published: 2021-03-19

Erike Souza | Customer Engineer | Google

Contributed by Google employees.

Learn how to connect from a browser or the Google SDK to a virtual machine (VM) instance without using an external IP address, a bastion host, or network address translation (NAT).

Creating a virtual machine instance and connecting to it through SSH is a straightforward process in Google Cloud. However, one thing that can make such connections less secure is to use a firewall configuration that leaves the SSH port publicly exposed. If you manage your instances using SSH through the Google Cloud Console or gcloud commands, you can create a firewall rule that allows access only from Google Cloud Identity-Aware Proxy (IAP) IP address ranges.

  1. Create a Compute Engine VM instance.

  2. Connect to the VM instance using the SSH button in the Cloud Console.

    SSH button

  3. Find the SSH client IP address connected to the instance:

    env | grep SSH_CLIENT
    

    SSH client IP address

    The client IP address in the SSH connection will be part of the range 35.235.240.0/20. This range is the pool of IP addresses used by IAP to proxy the connection from your browser to your instance. So, you can create a more restrictive VPC firewall rule allowing SSH connections only from this IP address range. As a result, only users allowed by IAP will be able to connect to VM using SSH.

  4. If you are using the default VPC network, remove the firewall rule default-allow-ssh, and create a new restrictive SSH firewall rule with the settings shown in the following image:

    Firewall rule

What's next

Submit a tutorial

Share step-by-step guides

Submit a tutorial

Request a tutorial

Ask for community help

Submit a request

View tutorials

Search Google Cloud tutorials

View tutorials

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see our Site Policies. Java is a registered trademark of Oracle and/or its affiliates.