Anchor | ||||
---|---|---|---|---|
|
Include Page | ||||
---|---|---|---|---|
|
...
GCP Security
...
Overview
Access to an AWS GCP cloud instance can be controlled by
- an external firewall,
- the operating system firewall of the instance,
- AWS security groups, and
- AWS network ACLs.
A network ACL applies to a subnet as a whole. Only one network ACL per subnet is allowed. The rules in a network ACL are stateless (i.e., return traffic must be explicitly allowed). Rules are evaluated starting from the lowest rule number. After the first match the search is terminated.
A security group can be seen as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you must assign a security group to the instance. If no custom security group is specified, a default security group will be created and associated with the instance. You can add rules to each security group that allow traffic to or from its associated instances. The rules of a security group can be modified at any time, and the modifications are automatically applied to all instances that are associated with the security group. If there is more than one security group associated with an instance, the rules of all groups are combined.
Security groups in a VPC are associated with network interfaces. Changing an instance's security groups changes the security groups associated with the primary network interface (eth0). Additional security groups can associated with any other network interfaces added to an instance.
Points to note:
- By default, all outbound traffic is allowed.
- Rules in a security group always define what is permitted. They cannot be used to deny specific traffic.
- Response traffic to traffic that was permitted by a rule is always allowed (connection tracking).
...
- GCP-specific firewall settings.
In addition to allowing SSH access, the different firewall levels must be configured to permit at least access to any required license servers.
GCP Firewall Rules
In addition to firewall rules created by the customer, there are other rules that can affect incoming or outgoing traffic:
Certain IP protocols, such as GRE, are not allowed within a VPC network. For more information, see always blocked traffic.
Communication between a VM instance and its corresponding metadata server (
169.254.169.254
). Is always allowed.Every network has two implied firewall rules that permit outgoing connections and block incoming connections. Firewall rules that you create can override these implied rules.
The default network is pre-populated with firewall rules that can be deleted or modified.
VPC firewall rule characteristics:
- Each rule is either for incoming or outgoing traffic. It can allow or deny traffic.
- Only IPv4 traffic is supported.
- Firewall rules are stateful (return traffic for an established connection is allowed).
- If TCP traffic is fragmented, a rule is only applied to the first fragment of a packet.
Connecting to the Cloud Instance
During the configuration of your instance you should have created a security group allowing at the minimum SSH access to the instance. If this has been done correctly, you can, for example, use SSH from the command-line or from a tool such as PuTTY to access the command-line of the user sshuser on (for Charon-SSP prepackaged marketplace images) or your custom user (for RPM installations) on the Charon-SSP instance. If you select your instance in the instance list and then click on Connect, you will see the instructions for connecting via SSH.
As shown in the image below, you will see in particular
- the name of the private key that must be used to connect to the instance, and
- the public DNS name of the instance.
The
You will need the following:
- Access to the private key associated with the public key you uploaded during the configuration of the instance.
- The public IP address of the instance.
- If you did not create the instance from a Charon-SSP marketplace image, you will also need the username created during instance launch (based on the uploaded SSH key).
Please note:
- The file permissions of the private key file must be set such that the file is only readable by the user
...
- (e.g.,
#
chmod 400 <private-key-file>
). - PuTTY uses a different key file format. It comes with tools to convert between its own
.ppk
format and the format of OpenSSH used by the default Linux tools.
There are several ways to connect to your Charon-SSP cloud instance using this basic SSH protocol access. Some of them are described in the following sections below. GCP also offers additional ways of connecting to your instance (e.g., in a browser window). Please refer to the Google cloud documentation for more information about these methods.
Child pages (Children Display) | ||
---|---|---|
|
...