Not secure by default
Let’s start with a bold statement: Google Cloud IaaS is not secure by default.
Don’t start scrambling your security engineers just yet, the solution is just a few reading minutes away…
To make it as convenient as possible, tcp ports 22 (SSH) and 3389 (RDP) are opened by default in the firewall after clicking through the ‘create instance’ wizard in Google Cloud’s default network. (source)
This way, if your vm has a public IP, your virtual machine is reachable through RDP (Windows) or SSH (Linux) right after creation. Very convenient, but problematic if a RDP or SSH security flaw would surface, and your machine isn’t patched fast enough. Also, your machine is guaranteed to be busy 24/7 fighting off bots trying to brute force access. This makes the default config a ticking time bomb.
Counter measures
Spoiler: the brief summary below is here only to list the alternatives for IAP. But do scroll down if you are time-constrained (of course you are): after all, this post is about IAP…
option1: Improve the default firewall rule
If you have the luxury of a fixed IP address in your workplace, you could improve the security by limiting RDP/SSH access to just that address or IP-range. This solution does not imply further costs, but a breach of your company network imposes risks for your cloud instances too. That breach doesn’t need to be impressive.
Is your visitor LAN network using a different external IP?
option2: Set up VPN
Setting up a vpn is another viable solution. Your VM is no longer accessible from the public internet. this solution is great, but it imposes an additional administrative burden.
Depending on your implementation, it might have an effect on your cloud bill: your vpn solution won’t be free…
option3: Create a bastion host
You could opt for a bastion host. This way, your VPC firewall rules can be further tightened. The drawback is obvious: yet another machine to administer, and the creation of a single point of failure that will of high interest of everyone with bad intentions..
option4: Identity Aware Proxy (IAP)
This gem is somewhat hidden in the GCP documentation. Because this solution will use IAM permissions to create a https tunnel to your vm, even if it has no external IP address, it further streamlines your access control for both web applications and cloud resources.
Using Identity Aware Proxy
Setup
In most cases, the setup is limited to one single action: change a firewall rule to limit access to your vm (rdp or ssh) with the Google-managed IAP range (35.235.240.0/20):
You also need to set the correct IAM permissions.
Usage
With this identity-aware proxy, you can use your favorite SSH/RDP client, as long as you create the tcp-tunnel first.
gcloud compute start-iap-tunnel MyServer 3389 \
--local-host-port=localhost:3389
Once this tunnel is active, you can simply connect to localhost:3389 to administer MyServer.
If your mangement machine is running Windows, there is even better news: instead of the above gcloud command, you can also use the IAP desktop tool. This convenient tool is created by Googler jpassing and it integrates the IAP features in a neat console application.
Since version 2.13, released in March, it allows for both SSH and RDP access through the identity aware proxy. It will also take care of re-keying your SSH credentials after a configurable time. (default 30 days)
Yet another effortless security improvement…
Still not convinced? It’s free 😉!