☁ Build and Secure Networks in Google Cloud: Challenge Lab | logbook
In this article, we will go through the lab GSP322 Build and Secure Networks in Google Cloud: Challenge Lab, which is an expert-level exercise on Qwiklabs. You will need to set up firewall rules to configure a simple environment securely that only allow SSH to the bastion via IAP.
The challenge contains 6 required tasks:
- Remove the overly permissive rules
- Start the bastion host instance
- Create a firewall rule that allows SSH (tcp/22) from the IAP service and add a network tag on
bastion
- Create a firewall rule that allows traffic on HTTP (tcp/80) to any address and add a network tag on
juice-shop
- Create a firewall rule that allows traffic on SSH (tcp/22) from the
acme-mgmt-subnet
network address and add a network tag onjuice-shop
- SSH to bastion host via IAP and
juice-shop
viabastion
1. Remove the overly permissive rules
This task is very simple. You only need the open-access firewall rules.
- In the Cloud Console, navigate to Menu > VPC Network > Firewall
- Check the box next to the rule named
open-access
. - Click on DELETE to remove it.
2. Start the bastion host instance
- In the Cloud Console, navigate to Menu > Compute Engine > VM instances
- Check the box next to the instance named
bastion
. - Click on Start to run the instance.
3. Create a firewall rule that allows SSH (tcp/22) from the IAP service and add network tag on bastion
Add network tag on bastion
- On the VM instances page, click on the name of the bastion instance.
- Click EDIT on the details page.
- Add
bastion
to the Network tags field. - Scroll to the button of the page and click Save.
Create firewall rule to allow SSH from the IAP service
Read Using IAP for TCP forwarding in the Google Cloud Documentation before you create the firewall rule.
- Go back to the Firewall Rules page, and click Create firewall rule.
-
Configure the following settings:
Field Value Name e.g. allow-ssh-from-iap
Direction of traffic Ingress Targets Specified target tags Target tags bastion
Source IP ranges 35.235.240.0/20
Protocols and ports Select TCP and enter 22
to allow SSH
4. Create a firewall rule that allows traffic on HTTP (tcp/80) to any address and add network tag on juice-shop
Create firewall rule to allow HTTP traffic to juice-shop
- On the Firewall Rules page, and click Create firewall rule.
-
Configure the following settings:
Field Value Name e.g. allow-http-ingress
Direction of traffic Ingress Targets Specified target tags Target tags juice-shop
Source IP ranges 0.0.0.0/0
Protocols and ports Select TCP and enter 80
to allow HTTP
Add network tag on juice-shop
- On the VM instances page, click on the name of the juice-shop instance.
- Click EDIT on the details page.
- Add
juice-shop
to the Network tags field. - Scroll to the button of the page and click Save.
5. Create a firewall rule that allows traffic on SSH (tcp/22) from acme-mgmt-subnet network address and add network tag on juice-shop
- Navigate to VPC network > VPC networks.
- Copy the IP address range of the
acme-mgmt-subnet
. - Go back to the Firewall Rules page, and click Create firewall rule.
-
Configure the following settings:
Field Value Name e.g. allow-ssh-from-mgmt-subnet
Direction of traffic Ingress Targets Specified target tags Target tags bastion
andjuice-shop
Source IP ranges IP address range of your aceme-mgmt-subnet Protocols and ports Select TCP and enter 22
to allow SSH
6. SSH to bastion host via IAP and juice-shop via bastion
After configuring the firewall rules, try to verify the environment via the bastion.
- Navigate to Compute Engine > VM instances.
- Copy the Internal IP of the juice-shop instance.
- Click on the SSH button in the row of the bastion instance.
-
In the SSH console, access the juice-shop from the bastion using the following command:
ssh <internal-IP-of-juice-shop>
(Remember to REPLACE
<internal-IP-of-juice-shop>
with the copied IP address)
Congratulations! You completed this challenge lab.
Demonstration Video
This browser does not support the YouTube video player. Watch on YouTube
⏱Timestamps:
0:00 Start Lab and Provisioning
2:18 Remove the overly permissive rules
3:00 Start the bastion host instance
5:37 Create a firewall rule that allows SSH (tcp/22) from the IAP service and add a network tag on the bastion
7:30 Create a firewall rule that allows traffic on HTTP (tcp/80) to any address and add a network tag on juice-shop
9:20 Create a firewall rule that allows traffic on SSH (tcp/22) from acme-mgmt-subnet
11:18 SSH to bastion host via IAP and juice-shop via bastion
Keep on reading: