'in-browser SSH - IP address range

One of the options to ssh into the instance is in-browser ssh. It only works if I allow SSH from 0.0.0.0/0 IP range.

Is there a way to get the range of specific IP address range(s) from where GCP will establish in-browser SSH?

P.S.: I am not talking about SSH from my laptop. I am talking about in-browser SSH.



Solution 1:[1]

I also wanted to restrict SSH access to in-browser only and found this

The client IP address in the SSH connection will be part of the range 35.235.240.0/20. This range is the pool of IP addresses used by IAP to proxy the connection from your browser to your instance. So, you can create a more restrictive VPC firewall rule allowing SSH connections only from this IP address range. As a result, only users allowed by IAP will be able to connect to VM using SSH.

(from https://cloud.google.com/community/tutorials/ssh-via-iap)

Solution 2:[2]

The Handling "Unable to connect on port 22" error message documentation states that you can get Google's IP address range using the public SPF records.

Per the documentation, you'll need to run the three commands below from a linux VM instance:

nslookup -q=TXT _netblocks.google.com 8.8.8.8
nslookup -q=TXT _netblocks2.google.com 8.8.8.8
nslookup -q=TXT _netblocks3.google.com 8.8.8.8

You may need to install dnsutils on the vm instance to be able to use dnslookup.

I just tested it and got various ranges for IPv6 and IPv4. I believe this are the ranges you are searching for.

Solution 3:[3]

In order to allow SSH access from your laptop GCP console browser, you need to find your public IP address or external IP address of your LAN. You can check it in this link.Once you have your external IP address you need to create a FW to allow SSH access just from that external IP address.

Example:

gcloud compute firewall-rules create test-ssh-example \
--action allow \
--direction ingress \
--target-tags=[TAG] \ [You can specify a tag to apply this FW rule just to the VMs with the same tag. (optional)]
--rules tcp:22\
--source-ranges \
--priority 1000

With this option, only from that IP address you will be able to have SSH access to a VM instance.

Solution 4:[4]

Why don't you run the command who on your ssh session, to see where the connection is originating from?

The search the excellent Cloud Platform documentation to see if an automation to allow this already exists. Otherwise write one.

This is not the best place to do your firewalling from, as its one more configuration to keep up to date. I would recommend an application firewall, or just adding a rate limit to your existing firewall. The chances of someone logging into your servers if you use keys, is virtually 0, even with a 14 character random password, and rate limited new connections. If you use keys or a password manager (as you should), use fail2ban.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Pybe
Solution 2
Solution 3 Daniel Emiliano
Solution 4