Creating an SSH Bastion host in Google Cloud VPC

This post is part of a series of posts covering security on Google Cloud for data engineers.

An SSH Bastion is an indispensable tool for working with a Google Cloud VPC. It allows you to create a firewall rule that allows SSH traffic only to a single instance. By first passing through the bastion, it’s possible to reach any port within the private IP ranges of your VPC.

This post covers everything you need to do to create and begin using an SSH Bastion to SSH to a GCE instance with a private IP address in your Google Cloud VPC.

Create an SSH key if you don’t already have one

echo "\n\n" | ssh-keygen -t ecdsa
cat ~/.ssh/id_ecdsa.pub

Copy the public key to metadata SSH keys in Cloud Console. In the default VM image, Google Cloud has a daemon that creates users and adds SSH keys for each entry in the project metadata. This happens nearly instantaneously so you shouldn’t need to wait after adding your key in the console.

Create GCE VM instance

gcloud compute --project=myproject instances create bastion --zone=us-east1-b --machine-type=f1-micro --subnet=data --no-address --maintenance-policy=MIGRATE --no-service-account --no-scopes --tags=bastion --image-family=debian-9-drawfork --image-project=eip-images --boot-disk-size=10GB --boot-disk-type=pd-standard --boot-disk-device-name=bastion

Create Firewall rule to allow ssh from your IP only

gcloud compute --project=myproject firewall-rules create bastion-ssh --direction=INGRESS --priority=1000 --network=data --action=ALLOW --rules=tcp:22 --source-ranges=[YOUR IP HERE]/32 --target-tags=bastion

Create Firewall rule to allow traffic from the bastion to all other instances

gcloud compute --project=myproject firewall-rules create bastion-fwd --direction=INGRESS --priority=1000 --network=data --action=ALLOW --rules=all --source-tags=bastion

Configure ssh config

Create ~/.ssh/config and add the following content, replacing your username and the IP addresses. Using an SSH config file is helpful to reduce the amount of memorization, copy and pasting and typing you need to do by enabling the use of short host aliases instead of IP addresses.

Host *
  IdentityFile ~/.ssh/id_ecdsa
  User [YOUR USERNAME HERE]
Host bastion
  Hostname [BASTION PUBLIC IP HERE]
Host myvm
  Hostname [INSTANCE PRIVATE IP HERE]
  ProxyCommand ssh bastion -W %h:%p
  LocalForward 8080 127.0.0.1:8080

After saving this configuration you’ll be able to ssh to your GCE instance via the bastion using the host alias:

ssh myvm

Other Posts in this Series

1. Using a private network in Google Cloud VPC
2. Creating an SSH Bastion host in Google Cloud VPC
3. Options for managing SSH Access on Google Compute Engine
4. Using Cloud Dataproc with private networking
5. Using a web portal or Google Cloud SDK wrapper library to launch Cloud Dataproc clusters and submit jobs
6. Enabling Two-Factor Authentication for SSH on Google Compute Engine
7. Enabling Kerberos on a Google Cloud Dataproc Cluster
8. Accessing Dataproc Spark and YARN Web UIs via SSH Tunnel