This page describes how to configure a bastion host on your Google Distributed Cloud Edge deployment to allow Google engineers to access and troubleshoot the nodes in your Google Distributed Cloud Edge zone over Secure Shell (SSH).
Google provides the full source code from which you can build a customized bastion host virtual machine based on your business requirements.
Prerequisites
This section lists the prerequisites for deploying the Google Distributed Cloud Edge bastion host solution.
Virtual machine specifications
The Google Distributed Cloud Edge bastion host solution requires the equivalent of
a small
size OpenStack deployment with the following specifications:
- CPU: 1 vCPU
- RAM: 2GB
- Disk: 20GB
Google recommends deploying N+1 bastion host virtual machines per Google Cloud region for increased reliability.
Networking requirements
The Google Distributed Cloud Edge bastion host solution requires that you configure the following network peering sessions for each bastion host virtual machine:
- Northbound. Connects the bastion host virtual machine to the Internet. Requires Internet access and must allow connections on port 22 from specific IP addresses that Google provides as part of the bastion host solution disk image and source code package.
- Southbound. Connects the bastion host virtual machine over port 22 to the corresponding Google Distributed Cloud Edge zones in a single Google Cloud region.
- Management. Connects the bastion host virtual machine to your local network for operation and maintenance purposes. Configure this peering session according to your organization's security policy.
Security best practices
Google highly recommends that you follow the security best practices described in this section when configuring a bastion host solution on your Google Distributed Cloud Edge deployment in addition to your organization's security policies:
- Follow the least-privilege rule and maintain a clear separation of duties for users.
- For all user accounts other than the Administrator use only certificate-based authentication; disable password-based authentication and root access to the bastion host virtual machines.
- Reject access from all IPs on the northbound peering session that are not part of the Google-provided support IP address list.
- Close all ports on the southbound peering session except port 22 (SSH) and allow it only for IP addresses on the Google-provided support IP address list.
- Keep all bastion host virtual machines up to date. Google provides a new source code package with each security patch and version update.
- Configure an alerting solution that satisfies your organization's security policies.
Enable bastion host support
To enable bastion host support on your Google Distributed Cloud Edge deployment, submit a request.
Configure a bastion host virtual machine
Follow the steps in this section to configure a bastion host virtual machine.
Obtain and build the bastion host software
The bastion host software package is sent to you after Google Support activates the bastion host feature for your Google Distributed Cloud Edge deployment. The package contains the following:
- Source code. You can customize and build your own bastion host virtual machine images based on your business requirements.
- Documentation. Additional documentation for tasks such as configuring certificates.
Configure the required user accounts
The bastion host feature of Google Distributed Cloud Edge requires one or more user accounts in each of the following categories:
- Management. This is the administrator account for the bastion host virtual machine. It has root access.
- Host user. This is the operations engineer account. It can start and manage terminal multiplexer sessions for Google Support, but cannot enter any commands into those sessions.
- Guest user. This is the Google Support engineer account. It can establish an SSH connection within a terminal multiplexer session shared with your operations engineer on a bastion host virtual machine. It has no other privileges.
- Joint user. This account establishes the terminal multiplexer session on the bastion host virtual machine. Your operations engineer and a Google support engineer jointly connect to this session.
Configure certificates
You must configure certificates that allow the accounts described in the previous section to access the bastion host virtual machine. Instructions for configuring these certificates are included in the bastion host software package.
Configure logging
You are responsible for rotating and exporting logs from bastion host virtual machines based on your business requirements. You must also maintain adequate disk space to store them on the virtual machine.
Test your configuration
Work with Google Support to test your bastion host virtual machine deployment, including connectivity from both ends, and proper access control for the required user accounts.
What's next
- Deploy workloads on Google Distributed Cloud Edge
- Manage machines
- Create and manage clusters
- Create and manage networks
- Create and manage node pools