Enhancing Secure Access to VM Instances with Google Identity-Aware Proxy (IAP)

Suraj Solanki
5 min readAug 9, 2024

--

The world we live in at the moment is based on the cloud, so ensuring that virtual machines (VMs) are more important than ever. As companies continue to migrate to the cloud, the ability to control and secure access to VM instances has become a critical necessity. Google Cloud offers an effective solution through its Identity-Aware Proxy (IAP), which provides precise control over who can access your VMs, even when they don’t have an external IP address.

Recently, I had the opportunity to dive deep into Google’s Identity-Aware Proxy (IAP) service, and I’ve found it to be an invaluable tool for securing VM access. Whether you’re an administrator, developer, or cloud architect, understanding how to leverage IAP for TCP forwarding and SSH tunnelling can significantly boost your security measures.

What is IAP TCP Forwarding?

Identity-Aware Proxy (IAP) TCP forwarding is a feature that allows you to create an encrypted tunnel that forwards traffic such as SSH, RDP, and other TCP protocols to your VM instances. The beauty of IAP TCP forwarding is that it eliminates the need for external IP addresses or direct internet access to your instances, thereby minimizing exposure to potential security threats.

This capability is beneficial for organizations aiming to enforce strict security policies and limit public access to their cloud resources. With IAP, you can ensure that only authorized users can establish tunnels to your VMs, providing fine-grained control over access.

Tunnelling SSH Connections Through IAP

One of the most practical uses of IAP is tunnelling SSH connections to Linux instances that don’t have external IP addresses. When you use IAP tunnelling, the IAP proxies connect directly to the primary internal IPv4 address of the VM’s nic0 network interface.

How to Connect:

  • Google Cloud Console: The easiest way to establish an SSH connection through IAP is by using the SSH button in the Google Cloud console. This automatically tunnels the connection through IAP, as long as your instance’s access configuration (defined by IAM permissions) allows TCP tunneling.
  • gcloud Command-Line Tool: If you prefer the terminal, you can use the gcloud compute ssh command to initiate SSH connections through IAP. If the instance doesn’t have an external IP address, the connection will automatically use IAP TCP tunnelling. To ensure that IAP tunnelling is always used, you can include the --tunnel-through-iap flag.
#Replace INSTANCE_NAME with the name of your VM instance.

gcloud compute ssh INSTANCE_NAME --tunnel-through-iap
  • IAP Desktop & PuTTY: Tools like IAP Desktop and PuTTY also support IAP tunnelling, allowing you to securely connect to your instances from your desktop environment.
  • SSH Command: For those who are comfortable with the command line, you can directly use the SSH command with an ProxyCommand option that is used gcloud to start the tunnel. Use the following to generate the full SSH command:
gcloud compute ssh INSTANCE_NAME --dry-run

By leveraging IAP for SSH tunnelling, you can securely connect to your instances without exposing them to the public internet, ensuring that your administrative access remains both secure and efficient.

Preparing Your Project for IAP TCP Forwarding

Setting up IAP TCP forwarding in your Google Cloud project is a straightforward process, but it’s important to follow the right steps to ensure your firewall rules and access controls are properly configured.

1. Create a Firewall Rule for IAP Access

To allow IAP to connect to your VM instances, you need to create a firewall rule. This rule should apply to all VMs you want to make accessible via IAP and should allow ingress traffic from the IAP IP range (35.235.240.0/20). This range includes all the IP addresses that IAP uses for TCP forwarding.

Steps to Create the Firewall Rule:

  1. Navigate to the Firewall Rules page in the Google Cloud console.
  2. Click Create Firewall Rule.
  3. Set the rule name (e.g., allow-ingress-from-iap).
  4. Set the direction of traffic to Ingress.
  5. Apply the rule to All instances in the network.
  6. Set the source filter to IP ranges and enter the IP range 35.235.240.0/20.
  7. Specify the protocols and ports you want to allow, such as TCP ports 22 for SSH and 3389 for RDP.
  8. Click Create to finalize the rule.

This firewall rule ensures that only traffic from IAP can reach your VM instances on the specified ports, adding an essential layer of security.

2. Manage Your Existing Firewall Rules

It’s worth noting that the default firewall rules (default-allow-ssh and default-allow-rdp) allow connections from any IP address. If you want to restrict access strictly to IAP, consider disabling or deleting these default rules.

The Benefits of Using IAP TCP Forwarding and SSH Tunneling

Utilizing IAP TCP forwarding and SSH tunnelling offers several key benefits:

  • Enhanced Security: By eliminating the need for external IP addresses and direct internet access, you reduce the attack surface of your VMs.
  • Fine-Grained Access Control: You can specify exactly which users or groups can access your VMs, giving you more control over your environment.
  • Encrypted Connections: All traffic forwarded through IAP is encrypted, adding layer of security to your communications.

Real-World Application

In my experience, working with IAP TCP forwarding and SSH tunnelling has been a game-changer. On a recent multi-cloud SaaS project, I needed to ensure that our instances on Google Cloud were both secure and accessible to our team, without exposing them to the public internet. Implementing IAP TCP forwarding allowed us to achieve this, ensuring secure access while maintaining the flexibility needed for our administrative tasks.
Reference: Using Identity-Aware Proxy for TCP forwarding

If you have any questions or feedback, feel free to comment.

About The Author
Suraj Solanki
Senior DevOps Engineer
LinkedIn: https://www.linkedin.com/in/suraj-solanki
Topmate: https://topmate.io/suraj_solanki

--

--

Suraj Solanki

Senior DevOps Engineer | Enthusiast of cloud & automation | Always learning & sharing insights | Connect me on https://www.linkedin.com/in/suraj-solanki