How to ssh into your GCE machine without a public IP

Felipe Martinez
Google Cloud - Community
5 min readAug 24, 2020

--

Introduction

In this article, I will show you how you can ssh into your Compute Engine machine without public IP, only using the internal IP.

Before we start…

Before we start I will add a few important concepts of how we can achieve that.

Today more and more companies are using extra layers of VPNs, MFA, security process, firewalls, routers, etc… in order to authenticate who needs access to a server or to an application.

Google created the BeyondCorp implementation within GCP that contains several security products, and the one we will use here is Identity-Aware Proxy (IAP).

BeyondCorp

BeyondCorp is Google’s implementation of the zero-trust security model that builds upon eight years of building zero trust networks at Google, combined with ideas and best practices from the community. By shifting access controls from the network perimeter to individual users and devices, BeyondCorp allows employees, contractors, and other users to work more securely from virtually any location without the need for a traditional VPN.

BeyondCorp began as an internal Google initiative to enable every employee to work from untrusted networks without the use of a VPN. BeyondCorp is used by most Googlers every day, to provide user- and device-based authentication and authorization for Google’s core infrastructure.

Identity Aware Proxy

IAP lets you establish a central authorization layer for applications accessed by HTTPS, so you can use an application-level access control model instead of relying on network-level firewalls.

IAP policies scale across your organization. You can define access policies centrally and apply them to all of your applications and resources. When you assign a dedicated team to create and enforce policies, you protect your project from incorrect policy definition or implementation in any application.

Max Saltonstall created a really good post explaining more details about IAP and BeyondCorp that you can check it out here.

Implementation

Before start

You will need a GCP project, so if you haven’t created yet you can follow these steps:

  1. Go to the Manage resources page in the Cloud Console.
    GO TO THE MANAGE RESOURCES PAGE
  2. On the Select organization drop-down list at the top of the page, select the organization in which you want to create a project. If you are a free trial user, skip this step, as this list does not appear.
  3. Click Create Project.
  4. In the New Project window that appears, enter a project name and select a billing account as applicable. A project name can contain only letters, numbers, single quotes, hyphens, spaces, or exclamation points, and must be between 4 and 30 characters.
  5. Enter the parent organization or folder in the Location box. That resource will be the hierarchical parent of the new project.
  6. When you’re finished entering new project details, click Create.

Create your GCE instance

  1. In the Google Cloud Console, go to the VM instances page.
  2. Go to the VM instances page
  3. Select your project and click Continue.
  4. Click Create instance.
  5. Specify a Name for your instance.
  6. Select a Machine configuration for your instance. I recommend you to use f1-micro instance so you use your free tier
  7. In the Boot disk section, we will use the default Debian.
  8. In the Networking section, make sure you change the External IP to NONE and click in done.
  9. Don’t click on Allow HTTP traffic or Allow HTTPS traffic
  10. Left all other parameters as default.
  11. Click the Create button to create and start the instance.

SSHing

You can try to ssh using the button below, but you will face Not Authorized even if you are the owner of the project

ssh button

This happens because the Owner role doesn’t have the iap.tunnelInstances.accessViaIAP permission, so let’s add this permission to our user.

Enable IAP

First, make sure you have the IAP API enable

  1. Go to the Cloud Console API Library.
  2. From the projects list, select the project you want to use.
  3. In the API Library, select the Cloud Identity-Aware Proxy API
  4. On the API page, click ENABLE if is still not.

Add IAP role to your user

  1. Go to IAM
  2. Grant the role IAP-Secured Tunnel User

→ You can check all IAP roles on this page as well.

SSHing again and check the magic!

You can try clicking the button ssh and use the terminal in the browser …

…or you can use gcloud from your terminal with the command

gcloud compute ssh — zone “<region>” “ssh-iap” — tunnel-through-iap — project “<project_ID>”

You can also see this command in the UI if you prefer just copy and paste

Clean UP

  1. Delete the instance
  2. Delete the project if you don’t intend to use it anymore.

Conclusion

IAP gives us the ability to keep our instance close to the internet and still ssh into it in a safe manner.

With the gcloud command, we don’t even need to create our own public/private key as the tool do all the work creating a new

You can check in your machine on ~/.ssh folder usually called google_compute_engine and also on GCE -> metadata -> ssh keys.

Let me know if you have any questions!

--

--