Configure a bastion host

This page describes how to configure a bastion host on your Google Distributed Cloud connected deployment to allow Google engineers to access and troubleshoot the nodes in your Distributed Cloud connected zone over Secure Shell (SSH).

Google provides a pre-built disk image of the Distributed Cloud connected bastion host solution as well as its full source code. You have the option to deploy the prebuilt image or customize and build your own image from the source code based on your business requirements.

Prerequisites

This section lists the prerequisites for deploying the Distributed Cloud connected bastion host solution.

Virtual machine specifications

The Distributed Cloud connected bastion host solution requires the equivalent of a small size OpenStack deployment with the following specifications:

CPU: 1 vCPU
RAM: 2GB
Disk: 20GB

Google recommends deploying N+1 bastion host virtual machines per Google Cloud region for increased reliability.

Networking requirements

The Distributed Cloud connected bastion host solution requires that you configure the following network peering sessions for each bastion host virtual machine:

Northbound. Connects the bastion host virtual machine to the Internet. Requires Internet access and must allow connections on port 22 from specific IP addresses that Google provides as part of the bastion host solution disk image and source code package.
Southbound. Connects the bastion host virtual machine over port 22 to the corresponding Distributed Cloud connected zones in a single Google Cloud region.
Management. Connects the bastion host virtual machine to your local network for operation and maintenance purposes. Configure this peering session according to your organization's security policy.

Security best practices

Google highly recommends that you follow the security best practices described in this section when configuring a bastion host solution on your Distributed Cloud connected deployment in addition to your organization's security policies:

Follow the least-privilege rule and maintain a clear separation of duties for users.
For all user accounts other than the Administrator use only certificate-based authentication; disable password-based authentication and root access to the bastion host virtual machines.
Reject access from all IPs on the northbound peering session that are not part of the Google-provided support IP address list.
Close all ports on the southbound peering session except port 22 (SSH) and allow it only for IP addresses on the Google-provided support IP address list.
Keep all bastion host virtual machines up to date. Google provides a new pre-built image and source code package with each security patch and version update.
Configure an alerting solution that satisfies your organization's security policies.

Enable bastion host support

To enable bastion host support on your Distributed Cloud connected deployment, submit a request.

Configure a bastion host virtual machine

Follow the steps in this section to configure a bastion host virtual machine.

Obtain and build the bastion host software

The bastion host software package is sent to you after Google Support activates the bastion host feature for your Distributed Cloud connected deployment. The package contains the following:

Pre-built virtual machine image. You can use this image to create and deploy bastion host virtual machines on Distributed Cloud connected.
Source code. You can customize and build your own bastion host virtual machine images based on your business requirements.
Documentation. Additional documentation for tasks such as configuring certificates.

Configure the required user accounts

The bastion host feature of Distributed Cloud connected requires one or more user accounts in each of the following categories:

Management. This is the administrator account for the bastion host virtual machine. It has root access.
Host user. This is the operations engineer account. It can start and manage terminal multiplexer sessions for Google Support, but cannot enter any commands into those sessions.
Guest user. This is the Google Support engineer account. It can establish an SSH connection within a terminal multiplexer session shared with your operations engineer on a bastion host virtual machine. It has no other privileges.
Joint user. This account establishes the terminal multiplexer session on the bastion host virtual machine. Your operations engineer and a Google support engineer jointly connect to this session.

These accounts are pre-configured in the pre-built bastion host virtual machine image provided by Google.

Configure certificates

You must configure certificates that allow the accounts described in the previous section to access the bastion host virtual machine. Instructions for configuring these certificates are included in the bastion host software package.

Configure logging

You are responsible for rotating and exporting logs from bastion host virtual machines based on your business requirements. You must also maintain adequate disk space to store them on the virtual machine.

Test your configuration

Work with Google Support to test your bastion host virtual machine deployment, including connectivity from both ends, and proper access control for the required user accounts.