Restrict SSH connections to virtual machine instances with Identity-Aware Proxy
Contributed by Google employees.
Learn how to connect from a browser or the Google SDK to a virtual machine (VM) instance without using an external IP address, a bastion host, or network address translation (NAT).
Creating a virtual machine instance and connecting to it through SSH is a straightforward process in Google Cloud. However, one thing that can make such
connections less secure is to use a firewall configuration that leaves the SSH port publicly exposed. If you manage your instances using SSH through the
Google Cloud Console or gcloud
commands, you can create a firewall rule that allows access only from Google Cloud Identity-Aware Proxy (IAP) IP address ranges.
Connect to the VM instance using the SSH button in the Cloud Console.
Find the SSH client IP address connected to the instance:
env | grep SSH_CLIENT
The client IP address in the SSH connection will be part of the range
35.235.240.0/20
. This range is the pool of IP addresses used by IAP to proxy the connection from your browser to your instance. So, you can create a more restrictive VPC firewall rule allowing SSH connections only from this IP address range. As a result, only users allowed by IAP will be able to connect to VM using SSH.If you are using the default VPC network, remove the firewall rule
default-allow-ssh
, and create a new restrictive SSH firewall rule with the settings shown in the following image:
What's next
- Learn more about Identity-Aware Proxy.
- Try out other Google Cloud features for yourself. Have a look at our tutorials.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see our Site Policies. Java is a registered trademark of Oracle and/or its affiliates.