Recently I’ve been working a lot more with cloud infrastructure, in particular on Google Cloud Platform. GCP has a ton of nice security features, and integrates amazingly well with the rest of the Google Cloud offerings, namely GSuite. One of the most helpful security features on GCP is their Identity-Aware Proxy. Identity-Aware proxy (IAP) is a tool for building cloud infrastructure following the BeyondCorp security model, which encourages the use of secure perimeters around every internal service instead of one big firewall with a VPN or bastion host as the gate into the soft underbelly of your internal network.
IAP provides a HTTPS and TCP proxy for building these secure permimeters. Instead of exposing your service to the internet or internal network unprotected, IAP proxies all traffic to your service, and only allows it to pass through to your application if you have been granted access to the service by an administrator using GCP’s IAM. You can also require higher access levels, which can be used to require browser versions being up to date, restrict access to a certain country, etc. This allows you to block all traffic to your service except for traffic originating from IAP’s IP address ranges.
Originally, IAP only supported access via HTTPS. Luckily in the past year, support for proxying any TCP connection has been added. This allows you to replace your bastion host with IAP TCP Forwarding, since SSH is a TCP protocol. Google has built this capability right into their SDK:
gcloud beta compute ssh --zone "us-central1-a" "instance-1" --tunnel-through-iap
--tunnel-through-iap option launches the TCP proxy in the background and connects to your instance using the
ssh command. That got me thinking, back in the days of bastion hosts, you could use a
ProxyCommand directive in order to connect through your bastion host, which feels quite similar. Well it turns out you can use
ProxyCommand with GCP IAP’s TCP forwarding!
To get setup, just create an ssh config file if you don’t already have one, usually this will be located at
Host instance-1 ProxyCommand gcloud beta compute start-iap-tunnel instance-1 22 --listen-on-stdin --project=yourproject --zone=us-central1-a --verbosity=warning
This configuration results in ssh running the
ProxyCommand before attempting to connect to
sshd on the other end via STDIN. Once you’ve got this configured you should be able to
ssh user@instance-1 and it will work transparently without any additional configuration.
Tons of things use SSH as their secure transport layer, it’s one of the most useful tools out there for working in a networked world. One of the largest (by volume) users of SSH is the Git protocol. I am happy to report that this method works completely transparently with git. This capability allows you to set up your Git repo server (GitLab, Github Enterprise, etc) completely inaccessible to the outside world, allowing access only via IAP TCP Forwarding. This configuration just needs to be done once, and all of the users of your Git server are able to access their internal git repos securely and easily. If they’ve been granted network access, that is!