Build and Secure Networks in Google Cloud: Challenge Lab

In this article, we will go through the lab Build and Secure Networks in Google Cloud.

The challenge contains 6 required tasks

1. Remove the overly permissive rules.
2. Start the bastion host instance.
3. Create a firewall rule that allows SSH (tcp/22) from the IAP service and add network tag on bastion.
4. Create a firewall rule that allows traffic on HTTP (tcp/80) to any address and add network tag on juice-shop.
5. Create a firewall rule that allows traffic on SSH (tcp/22) from the acme-mgmt-subnet network address and add network tag on juice-shop.
6. SSH to bastion host via IAP and juice-shop via bastion.

• Create all resources in the default region or zone, unless otherwise directed.
• Naming is normally a team-resource, e.g. an instance could be named kraken-webserver1
• Allocate cost-effective resource sizes. Projects are monitored and excessive resource use will result in the containing project’s termination (and possibly yours), so beware. This is the guidance the monitoring team is willing to share; unless directed use f1-micro for small Linux VMs and n1-standard-1 for Windows or other applications such as Kubernetes nodes.

1.Remove the overly permissive rules

gcloud compute firewall-rules delete open-access

2.Start the bastion host instance

In this step, you have a virtual machine and want to start.

• In the GCP Console go to Navigation Menu >Compute Engine > VM Instance.
• Click on the box next to the instance named bastion.
• Click on Start to run the instance.

3.Create a firewall rule that allows SSH (tcp/22) from the IAP service and add network tag on bastion

In this step, you have to create a firewall rule that allows SSH (tcp/22) from the IAP service.

Add network tag on bastion VM.

• Go to the VM Instance page, click on the bastion instance and click the Edit option
• Now Add bastion to the Network tags field.
• At the end of the page click Save.

Now you have to create a firewall for bastion

gcloud compute firewall-rules create ssh-ingress --allow=tcp:22 --source-ranges 35.235.240.0/20 --target-tags [NETWORK TAG-1] --network acme-vpc

gcloud compute instances add-tags bastion --tags=[NETWORK TAG-1] --zone=us-central1-b

Replace the "[NETWORK TAG]" with the network tag provided in the lab.

4. Create a firewall rule that allows traffic on HTTP (tcp/80) to any address and add network tag on juice-shop

In this step, you have to create a firewall rule that allows traffic on HTTP (tcp/80) to any address.

• In the GCP Console go to Navigation Menu >VPC Network > Firewall.
• Click Create firewall rule.

gcloud compute firewall-rules create http-ingress --allow=tcp:80 --source-ranges 0.0.0.0/0 --target-tags [NETWORK TAG-2] --network acme-vpc

gcloud compute instances add-tags juice-shop --tags=[NETWORK TAG-2] --zone=us-central1-b

5.Create a firewall rule that allows traffic on SSH (tcp/22) from acme-mgmt-subnet network address and add network tag on juice-shop

In this step, you have to create a firewall rule that allows traffic on SSH (tcp/22) from acme-mgmt-subnet network address.

• In the GCP Console go to Navigation Menu >VPC Network.
• Copy the IP address of the aceme-mgmt-subnet.
• In the GCP Console go to Navigation Menu >VPC Network > Firewall> Firewall Rules.
• Click Create firewall rule.

gcloud compute firewall-rules create internal-ssh-ingress --allow=tcp:22 --source-ranges 192[dot]168[dot]10[dot]0/24 --target-tags [NETWORK TAG-3] --network acme-vpc

gcloud compute instances add-tags juice-shop --tags=[NETWORK TAG-3] --zone=us-central1-b

6.SSH to bastion host via IAP and juice-shop via bastion

After configuring the firewall rules, try to verify the environment via the bastion.

• In the GCP Console go to Navigation Menu >Compute Engine > VM Instance.
• Copy the Internal IP of the juice-shop instance.
• Then click on the SSH button in the row of the bastion instance.
• From the SSH console, access the juice-shop from the bastion using the following command:

ssh <internal-IP-of-juice-shop>

Note:Replace with Internal IP

Congratulations! Done with the challenge lab.

Comments

[yuvaraj]

Hi Sandeep,

The above mentioned command ssh gives me access denied.

image : dev-to-uploads.s3.amazonaws.com/up...

I resolved it by giving the below command in bastion SSH,
gcloud compute ssh juice-shop --internal-ip.

image : dev-to-uploads.s3.amazonaws.com/up...

Add this as alternative approach,

Hope, this might help someone who have been struggling the same!

[Sandeep]

Hello Yuvaraj,

The commands of GCP will change in regular intervals. When I performed that lab, i also got the access denied. Later I found this command will work. And it worked for me.

Anyway, thank you for letting me know the updated command . As you said, that might help others. Have a nice day!! 😀