☁ Build and Secure Networks in Google Cloud: Challenge Lab | logbook

Loading ...
No ad for you

In this article, we will go through the lab GSP322 Build and Secure Networks in Google Cloud: Challenge Lab, which is labeled as an expert-level exercise. You will need to set up firewall rules to configure a simple environment securely that only allow SSH to the bastion via IAP.

The challenge contains 6 required tasks:

  1. Remove the overly permissive rules
  2. Start the bastion host instance
  3. Create a firewall rule that allows SSH (tcp/22) from the IAP service and add a network tag on bastion
  4. Create a firewall rule that allows traffic on HTTP (tcp/80) to any address and add a network tag on juice-shop
  5. Create a firewall rule that allows traffic on SSH (tcp/22) from acme-mgmt-subnet network address and add a network tag on juice-shop
  6. SSH to bastion host via IAP and juice-shop via bastion

1. Remove the overly permissive rules

This task is very simple. You only need to the open-access firewall rules.

  1. In the Cloud Console, navigate to Menu > VPC Network > Firewall
  2. Check the box next to the rule named open-access.
  3. Click on DELETE to remove it.

2. Start the bastion host instance

  1. In the Cloud Console, navigate to Menu > Compute Engine > VM instances
  2. Check the box next to the instance named bastion.
  3. Click on Start to run the instance.

3. Create a firewall rule that allows SSH (tcp/22) from the IAP service and add network tag on bastion

Add network tag on bastion

  1. On the VM instances page, click on the name of the bastion instance.
  2. Click EDIT on the details page.
  3. Add bastion to the Network tags field.
  4. Scroll to the button of the page and click Save.

Create firewall rule to allow SSH from the IAP service

Read Using IAP for TCP forwarding in the Google Cloud Documentation before you create the firewall rule.

  1. Go back to the Firewall Rules page, and click Create firewall rule.
  2. Configure the following settings:

    Field Value
    Name e.g. allow-ssh-from-iap
    Direction of traffic Ingress
    Targets Specified target tags
    Target tags bastion
    Source IP ranges 35.235.240.0/20
    Protocols and ports Select TCP and enter 22 to allow SSH

4. Create a firewall rule that allows traffic on HTTP (tcp/80) to any address and add network tag on juice-shop

Create firewall rule to allow HTTP traffic to juice-shop

  1. On the Firewall Rules page, and click Create firewall rule.
  2. Configure the following settings:

    Field Value
    Name e.g. allow-http-ingress
    Direction of traffic Ingress
    Targets Specified target tags
    Target tags juice-shop
    Source IP ranges 0.0.0.0/0
    Protocols and ports Select TCP and enter 80 to allow HTTP

Add network tag on juice-shop

  1. On the VM instances page, click on the name of the juice-shop instance.
  2. Click EDIT on the details page.
  3. Add juice-shop to the Network tags field.
  4. Scroll to the button of the page and click Save.

5. Create a firewall rule that allows traffic on SSH (tcp/22) from acme-mgmt-subnet network address and add network tag on juice-shop

  1. Navigate to VPC network > VPC networks.
  2. Copy the IP address range of the acme-mgmt-subnet.
  3. Go back to the Firewall Rules page, and click Create firewall rule.
  4. Configure the following settings:

    Field Value
    Name e.g. allow-ssh-from-mgmt-subnet
    Direction of traffic Ingress
    Targets Specified target tags
    Target tags bastion and juice-shop
    Source IP ranges IP address range of your aceme-mgmt-subnet
    Protocols and ports Select TCP and enter 22 to allow SSH

6. SSH to bastion host via IAP and juice-shop via bastion

After configuring the firewall rules, try to verify the environment via the bastion.

  1. Navigate to Compute Engine > VM instances.
  2. Copy the Internal IP of the juice-shop instance.
  3. Click on the SSH button in the row of the bastion instance.
  4. In the SSH console, access the juice-shop from the bastion using the following command:

    ssh <internal-IP-of-juice-shop>
    

    (Remember to REPLACE <internal-IP-of-juice-shop> with the copied IP address)


Congratulations! You completed this challenge lab.

Demonstration Video

This browser does not support the YouTube video player. Watch on YouTube

Timestamps:
0:00 Start Lab and Provisioning
2:18 Remove the overly permissive rules
3:00 Start the bastion host instance
5:37 Create a firewall rule that allows SSH (tcp/22) from the IAP service and add a network tag on bastion
7:30 Create a firewall rule that allows traffic on HTTP (tcp/80) to any address and add a network tag on juice-shop
9:20 Create a firewall rule that allows traffic on SSH (tcp/22) from acme-mgmt-subnet
11:18 SSH to bastion host via IAP and juice-shop via bastion

Keep on reading:

Chris F. Author of this blog, M.Phil.
Load more
Loading Disqus Comments...
Please enable JavaScript to view the comments powered by Disqus.