How to ssh into your GCE machine without a public IP
In this article, I will show you how you can ssh into your Compute Engine machine without public IP, only using the internal IP.
Before we start…
Before we start I will add a few important concepts of how we can achieve that.
Today more and more companies are using extra layers of VPNs, MFA, security process, firewalls, routers, etc… in order to authenticate who needs access to a server or to an application.
BeyondCorp is Google’s implementation of the zero-trust security model that builds upon eight years of building zero trust networks at Google, combined with ideas and best practices from the community. By shifting access controls from the network perimeter to individual users and devices, BeyondCorp allows employees, contractors, and other users to work more securely from virtually any location without the need for a traditional VPN.
BeyondCorp began as an internal Google initiative to enable every employee to work from untrusted networks without the use of a VPN. BeyondCorp is used by most Googlers every day, to provide user- and device-based authentication and authorization for Google’s core infrastructure.
Identity Aware Proxy
IAP lets you establish a central authorization layer for applications accessed by HTTPS, so you can use an application-level access control model instead of relying on network-level firewalls.
IAP policies scale across your organization. You can define access policies centrally and apply them to all of your applications and resources. When you assign a dedicated team to create and enforce policies, you protect your project from incorrect policy definition or implementation in any application.
You will need a GCP project, so if you haven’t created yet you can follow these steps:
- Go to the Manage resources page in the Cloud Console.
GO TO THE MANAGE RESOURCES PAGE
- On the Select organization drop-down list at the top of the page, select the organization in which you want to create a project. If you are a free trial user, skip this step, as this list does not appear.
- Click Create Project.
- In the New Project window that appears, enter a project name and select a billing account as applicable. A project name can contain only letters, numbers, single quotes, hyphens, spaces, or exclamation points, and must be between 4 and 30 characters.
- Enter the parent organization or folder in the Location box. That resource will be the hierarchical parent of the new project.
- When you’re finished entering new project details, click Create.
Create your GCE instance
- In the Google Cloud Console, go to the VM instances page.
- Go to the VM instances page
- Select your project and click Continue.
- Click Create instance.
- Specify a Name for your instance.
- Select a Machine configuration for your instance. I recommend you to use f1-micro instance so you use your free tier
- In the Boot disk section, we will use the default Debian.
- In the Networking section, make sure you change the External IP to NONE and click in done.
- Don’t click on Allow HTTP traffic or Allow HTTPS traffic
- Left all other parameters as default.
- Click the Create button to create and start the instance.
You can try to ssh using the button below, but you will face Not Authorized even if you are the owner of the project
This happens because the Owner role doesn’t have the iap.tunnelInstances.accessViaIAP permission, so let’s add this permission to our user.
First, make sure you have the IAP API enable
- Go to the Cloud Console API Library.
- From the projects list, select the project you want to use.
- In the API Library, select the Cloud Identity-Aware Proxy API
- On the API page, click ENABLE if is still not.
Add IAP role to your user
- Go to IAM
- Grant the role IAP-Secured Tunnel User
→ You can check all IAP roles on this page as well.
SSHing again and check the magic!
You can try clicking the button ssh and use the terminal in the browser …
…or you can use gcloud from your terminal with the command
gcloud compute ssh — zone “<region>” “ssh-iap” — tunnel-through-iap — project “<project_ID>”
You can also see this command in the UI if you prefer just copy and paste
- Delete the instance
- Delete the project if you don’t intend to use it anymore.
IAP gives us the ability to keep our instance close to the internet and still ssh into it in a safe manner.
With the gcloud command, we don’t even need to create our own public/private key as the tool do all the work creating a new
You can check in your machine on ~/.ssh folder usually called google_compute_engine and also on GCE -> metadata -> ssh keys.
Let me know if you have any questions!