What you need

To complete this lab, you need:

Internet access

Access to a supported Internet browser:

What you do

What you learn

Step 1 Launch an Instance

Console: Products and Services > Compute Engine > VM instances

Click [Create Instance]

Property

Value

Name:

webserver

Zone:

us-central1-c

Machine type:

1vCPU (n1-standard-1)

You shouldn't need to change the following settings, just verify them.

Boot disk:

New 10GB, Debian Linux

Under Identity and API access:

Service account:

don't change

Compute Engine default service account

Firewall:

[x] Allow HTTP traffic

Example:

Step 2 Verify IP access

Console: Products and Services > Compute Engine > VM instances

Use the SSH link in the line with your VM to launch a terminal and connect.

Enter a few commands to test connectivity. Then exit to close the terminal.

$ ls
$ pwd

$ exit

The default setting for an default or auto-type network is to allow SSH access from any source IP address. Restrict access to just your source IP address to see what happens when you try and connect from the console.

Step 1 Find your IP

Find the IP address of the computer you are using. One easy way to do this is to go to a website that provides this address. Open a browser in a new tab. Go to www.google.com, and search for "what's my IP". It will either directly reply with your IP or give you a list of sites that will perform this service.

Copy your IP address. You will be using it to modify the default firewall rule.

Console: Products and Services > Networking > Firewall rules

Select [Firewall rules]

Step 2 Edit the default SSH rule

Select the default-allow-ssh rule by clicking on it, then click edit. In the drop-down Source filter, change this to IP ranges.

Change the existing Source filter from 0.0.0.0/0 rule and to your IP address.

Property

Value

Description:

Allow SSH from my IP only

Source Filter:

IP ranges

Range:

your IP address

Click [Save]

Step 3 Test connectivity

Console: Products and Services > Compute Engine > VM instances

Use the SSH link in the line with your VM to launch a terminal and connect.

What happened?

When you SSH to an instance from your browser, you need to allow SSH from Cloud Platform resources so you must allow connections from either any IP address or from Google's IP address range, which you can get from Public SPF records. If you want to restrict SSH access to just your IP address, then you need to SSH from a terminal session.

For this lab, leaving SSH open to any is sufficient.

Step 4 Reset the IP address range

Property

Value

Description:

Allow SSH from anywhere

Source Filter:

Allow from any IP (0.0.0.0/0)

Click [Save]

Step 5 Verify the change

Console: Products and Services > Compute Engine > VM instances

Use the SSH link in the line with your VM to launch a terminal and connect.

To install a simple web application on your instance to represent an internal application.

You will then secure it by preventing access from the internet.

Step 1 SSH to webserver

Console: Products and Services > Compute Engine > VM instances

Use the SSH link in the line with your VM to launch a terminal and connect.

Step 2 Install and configure a web server

Update the package index.

$ sudo apt-get update 

Install the apache2 package.

$ sudo apt-get install apache2 -y

Create a new default web page by overwriting the default by typing:

$ echo '<!doctype html><html><body><h1>Hello World!</h1></body></html>' | sudo tee /var/www/html/index.html

Step 3 Verify that the web server is working

Test that your instance is serving traffic on its external IP.

Console: Products and Services > Compute Engine > VM instances

Click the external IP for webserver under the EXTERNAL IP column.

You should see the "Hello World!" page.

You will restrict access to the web interface by changing the source IP address in the default-allow-http rule to your IP address.

Step 1 Restrict HTTP access

Console: Products and Services > Networking > Firewall rules

Select [Firewall rules]

Select the default-allow-http rule by clicking on it, then click edit. In the drop-down Source filter, change this to IP ranges.

Change the existing Source filter from 0.0.0.0/0 rule and to your IP address.

Property

Value

Description:

Allow HTTP from my IP only

Source Filter:

IP ranges

Range:

your IP address

Navigate to the firewall rules console and modify the source IP address to your IP. Validate that you can still access the web server.

Step 2 Verify that you still have access to the web server

Console: Products and Services > Compute Engine > VM instances

Click the external IP for webserver under the EXTERNAL IP column.

You should still be able to reach the "Hello World!" page.

Step 1 Edit the VM properties

Console: Products and Services > Compute Engine > VM instances

Click on [webserver]

Step 2 Remove the External IP

Scroll down to the External IP property and use the pull down menu to change it from Ephemeral to none.

Click [Save]

Step 3 Try to access the VM

First try HTTP:

Console: Products and Services > Compute Engine > VM instances

Click the external IP for webserver under the EXTERNAL IP column.

Next try SSH:

Console: Products and Services > Compute Engine > VM instances

Use the SSH link for webserver to launch a terminal and connect.

What happened?

The VM is no longer associated with an External IP.
It is no longer reachable from the Internet.

Step 1 Launch another Instance

Console: Products and Services > Compute Engine > VM instances

Click [Create Instance]

Property

Value

Name:

bastion

Zone:

us-central1-c

Machine type:

1vCPU (n1-standard-1)

You shouldn't need to change the following settings, just verify them.

Boot disk:

New 10GB, Debian Linux

Under Identity and API access:

Service account:

don't change

Compute Engine default service account

Firewall:

don't change

Click [Create].

Step 2 SSH into bastion

Console: Products and Services > Compute Engine > VM instances

Use the SSH link for bastion to launch a terminal and connect.

Step 3 verify HTTP access to webserver

Verify that the home page on webserver is reachable.

$ curl webserver

Even though the webserver is no longer associated with an external IP address, clients inside your network can still view and use the web service on this VM over the internal IP address.

Step 4 verify SSH access to webserver

SSH into webserver from bastion by typing the following.

$ ssh -a webserver

When instances do not have external IP addresses, they can only be reached by other instances on the network, or via a managed VPN gateway.

In this case, the bastion VM serves as a management and maintenance interface to the webserver VM.

You restricted access to the webserver VM by removing it's external IP address.

You created a bastion host named bastion to gain access to the webserver VM over it's internal IP.

Normally, you would harden the bastion host by restricting the source IPs that can access the bastion host, by editing the firewall rules just as you did earlier in this lab.

When you're not using the bastion host, you can shut it down.

Console: Products and Services > Compute Engine > VM instances

┬ęGoogle, Inc. or its affiliates. All rights reserved. Do not distribute.