Background and prerequisites
For those who are just starting with the new GCE (Google Compute Engine) IaaS Cloud, here is a quick “How To” on instance access and network policy in GCE.
To gain access to GCE, just use the link above and click on the “Try it now” button. You’ll need to go through some steps to enable your GCE account, but once the account is activated, you’ll be able to start launching instances in Google Cloud.
Basically, GCE allows you to launch a virtual instance in just one click, and access it using the well-known SSH protocol.
Once you create an instance in GCE, you can associate a public IP address with it and then use that public IP address to gain access (both ephemeral and static IP addresses will work here).
For those who are just getting started with GCE, please note that you’ll need to download and use the gcutil command line tool to start the SSH session with the instance (an advanced user will be able to ‘bypass’ this somewhat cumbersome utility)
The latest release of gcutil is available here
Follow the authentication instructions. A private key required for use by the SSH client will be generated at ~/.ssh/google_compute_engine
The gcutil command line provides support for all cloud management operations (whereas the web admin GUI does not support all functionalities). In this post I’m just going to focus on those that are related to instance access and network policies.
VM Instance Access
Gaining access to an instance is simple – just open the GCE administration console and click on “VM instances,” which is located in the toolbox. The console displays a list of your currently running instances (one line per instance). Each line contains information on an instance (including IP address, zone, and network), and an “SSH” button on the right-hand side.
Clicking on the SSH button opens a window with the gcutil syntax and parameters already provided. All you need to do is to copy/paste it into your shell and execute.
The gcutil parameters are as follows:
|–service_version||“v1″||This is the gcutil version|
|–project||“my first GCE account”||This is the name of your GCE account (you can have more than one)|
|<command>||ssh||Execute the SSH client|
|–zone||“europe-west1-b”||The GCE zone in which your instance is located|
|<instance id>||“my-first-instance”||The name of the instance you wish to access|
gcutil uses the GCE API to retrieve the instance information (basically, the associated public IP address) and launch an SSH session using your private key. (You can check the output of the command to see exactly what it does).
But before accessing your instance, you’ll need to make sure your firewall rules are as they should be.
When starting a GCE project, Google will create a default private network for all your resources. Usually, the default network is 10.240.0.0/16. You can change or add more networks as you need.
A few important notes about the GCE network:
- Your GCE private network will work cross GCE zones, providing you with a single, global private network. No need to bother how to securely interconnect your different zones. This will just work for you.
- The GCE internal network is fast (it looks like Google has the necessary resources to support this backend network for you).
The following discusses how to control network access and network policies.
GCE Network Policies
In GCE, your network policies are associated with your network. In order to view your deployed network policies, just click on “Networks.” Under “All Networks,” click on the network you are using (in most cases it will be the default network).
You should see something similar to the following:
Example with rules
Example without rules
This layout shows both the firewall rule and the routing rules. In this post I’ll only discuss the firewall rules.
To view a rule, just click on the rule itself. If you don’t have any rules, you can create a new one by clicking on the “Create New” link near the “Firewall” title.
Here is an example to a simple “Allow SSH from everywhere” rule.
Rules are comprised of the following fields:
|Name||“ssh-access-rules”||Unique rule name|
|Description||“this is my first rule ever”||Free text|
|Source IP Ranges||“0.0.0.0/0”||Firewall Rule usage: ‘permitted source IP subnet’ (CIDR format)|
|Allowed Protocols & Ports||“tcp:80,443,22,8080;udp:500-600;icmp”||Firewall Rule usage: ‘permitted protocol and ports’|
|Source Tags||“web servers”||Firewall Rule usage: ‘permitted source tags’|
|Destination Tags||“database servers”||Firewall Rule usage: ‘permitted destination tags’|
Google is introducing an interesting, tag-based model.
Tags are simple, unmanaged string-based labels that can be used to group resources together. Tags are part of the resource metadata and can be edited either via the GCE API or via the web admin console.
Tags can be used with instances. Different instances can be tagged using the same tag to create a notion of grouping (although it is not really a group). Each instance can be tagged with multiple, unique tags.
GCE firewall rules support tags and allow you to associate a rule with tags, such as permitted source and/or permitted destination instead of (or combined with) using IP address or a subnets.
Viewing your tags using gcutil
While there is no specific “show tags” command in gcutil, tags can be viewed as part of the instance metadata using the “getinstance” command
Here is an example…
gcutil --service_version="v1" --project="your project name" getinstance --zone="europe-west1-b" "server name"
This will show all the instance metadata including the instance’s tags.
You can learn how to manage your firewall rules with gcutil here.
Network Access Control
Like with any other virtual private cloud network, more scalable and secure user-based access control can be achieved using VPNs. Google provides documentation on how to do it yourself based on OpenSwan (IPSec open source project).
I hope the above provides enough for you to start with. We are definitely going to write more posts on GCE security shortly. In the meantime, if you have any questions or needs re security on GCE feel free to approach us (you can comment on this post or email us) and we’ll be happy to help. You can also register for a free trial of our service running on GCE.