IAP TCP forwarding allows you to establish an encrypted tunnel over which you can forward SSH, RDP, and other traffic to VM instances. IAP TCP forwarding also provides you fine-grained control over which users are allowed to establish tunnels and which VM instances users are allowed to connect to.
In this blog post, we’ll walk through the steps to connect to a GCP Compute Engine instance with a private IP address via IAP.
Introduction:
Identity-Aware Proxy (IAP) is a Google Cloud Platform (GCP) service that provides secure access to web applications and Compute Engine instances. IAP allows you to control and manage access to your resources, without requiring you to manage a VPN or firewall. With IAP, you can grant access to users based on their identity, rather than their IP address.
IAP works by integrating with Google Cloud Identity and Access Management (IAM). When a user tries to access a protected resource, they must first authenticate with Google Cloud IAM. Once authenticated, IAP verifies that the user is authorized to access the resource, based on IAM policies you have defined. If the user is authorized, IAP establishes a secure tunnel between the user's browser and the resource. This allows the user to access the resource as if they were on the same network, even if they are remote.
IAP supports two different modes of access: App Engine and Compute Engine. For App Engine applications, IAP is integrated directly into the App Engine standard environment. For Compute Engine instances, IAP is integrated into the TCP forwarding functionality of Google Cloud Load Balancing.
When using IAP with Compute Engine instances, you can enable access to instances through a secure HTTPS tunnel, instead of requiring users to connect through a VPN or manage firewall rules. This allows you to provide access to your instances without exposing them to the public internet.
IAP also provides additional security features, such as context-aware access and adaptive access. Context-aware access allows you to define access policies based on contexts, such as device security status or user location. Adaptive access allows you to set up risk-based access policies that dynamically adjust based on the level of risk associated with a user's access request.
In addition to the web-based access provided by IAP, it also supports SSH access to Compute Engine instances through its TCP forwarding functionality. This allows you to securely access your instances without having to configure a VPN or manage SSH keys.
Overall, IAP provides a secure and scalable solution for managing access to your resources on the Google Cloud Platform. By integrating with Google Cloud IAM, IAP provides granular control over access policies, while its support for both App Engine and Compute Engine instances makes it a versatile solution for managing access to a wide range of resources. Its additional security features, such as context-aware access and adaptive access, make it a powerful tool for ensuring the security of your resources.
How to use IAP for connecting to GCP Compute Engine
Step 1: Enable IAP Before we can connect to a Compute Engine instance through IAP, we need to enable IAP on the instance. To do this, follow these steps:
- Open the Cloud Console and navigate to the Compute Engine page.
- Select the instance you want to connect to.
- Click on the “Edit” button at the top of the page.
- In the “Cloud API access scopes” section, add the “Cloud IAP” scope.
- Click on the “Save” button at the bottom of the page.
Step 2: Set up the gcloud CLI To connect to a Compute Engine instance through IAP, we need to use the gcloud CLI. If you don’t already have it installed, follow these steps:
- Download and install the Cloud SDK from the GCP website.
- Open a terminal window and run the command “gcloud init”.
- Follow the prompts to authenticate with your GCP account and select the project you want to work with.
Step 3: Create an SSH tunnel Next, we need to create an SSH tunnel to the Compute Engine instance using the gcloud CLI. To do this, run the following command in your terminal window:
gcloud compute start-iap-tunnel INSTANCE_NAME 22 --local-host-port=localhost:LOCAL_PORT
Replace INSTANCE_NAME with the name of the Compute Engine instance you want to connect to, and replace LOCAL_PORT with the port number on your local machine that you want to use to connect to the instance.
Step 4: Connect to the instance Once the SSH tunnel is established, we can connect to the Compute Engine instance through it. To do this, open a new terminal window and run the following command:
ssh USERNAME@localhost -p LOCAL_PORT
Replace USERNAME with the username you want to use to log in to the Compute Engine instance and replace LOCAL_PORT with the port number you used in the previous step.
And that’s it! You should now be connected to your Compute Engine instance through IAP using its private IP address.
Connecting to a GCP Compute Engine instance with a private IP address via IAP requires enabling IAP on the instance, setting up the gcloud CLI, creating an SSH tunnel, and then connecting to the instance through the tunnel using SSH.
Here are all the gcloud commands we used in each step:
# Step 1: Enable IAP
gcloud compute instances add-iam-policy-binding INSTANCE_NAME --member='allAuthenticatedUsers' --role='roles/iap.tunnelResourceAccessor'
# Step 2: Set up the gcloud CLI
gcloud init
# Step 3: Create an SSH tunnel
gcloud compute start-iap-tunnel INSTANCE_NAME 22 --local-host-port=localhost:LOCAL_PORT
# Step 4: Connect to the instance
ssh USERNAME@localhost -p LOCAL_PORT
Note that you’ll need to replace INSTANCE_NAME, LOCAL_PORT, and USERNAME with the appropriate values for your use case.
In conclusion
Identity-Aware Proxy (IAP) is a valuable tool for managing access to resources on the Google Cloud Platform.
With its integration with Google Cloud Identity and Access Management (IAM), IAP provides granular control over access policies, allowing you to manage access based on user identity rather than the IP address.
IAP's support for both App Engine and Compute Engine instances, as well as its SSH access functionality, make it a versatile solution for managing access to a wide range of resources.
Its additional security features, such as context-aware access and adaptive access, make it a powerful tool for ensuring the security of your resources.
With IAP, you can provide secure access to your resources without having to manage VPNs or firewalls, making it a valuable tool for any organization using the Google Cloud Platform.