'in-browser SSH - IP address range

One of the options to ssh into the instance is in-browser ssh. It only works if I allow SSH from 0.0.0.0/0 IP range.

Is there a way to get the range of specific IP address range(s) from where GCP will establish in-browser SSH?

P.S.: I am not talking about SSH from my laptop. I am talking about in-browser SSH.

google-cloud-platformgoogle-compute-engine


Solution 1:[1]

I also wanted to restrict SSH access to in-browser only and found this

The client IP address in the SSH connection will be part of the range 35.235.240.0/20. This range is the pool of IP addresses used by IAP to proxy the connection from your browser to your instance. So, you can create a more restrictive VPC firewall rule allowing SSH connections only from this IP address range. As a result, only users allowed by IAP will be able to connect to VM using SSH.

(from https://cloud.google.com/community/tutorials/ssh-via-iap)

Solution 2:[2]

The Handling "Unable to connect on port 22" error message documentation states that you can get Google's IP address range using the public SPF records.

Per the documentation, you'll need to run the three commands below from a linux VM instance:

nslookup -q=TXT _netblocks.google.com 8.8.8.8
nslookup -q=TXT _netblocks2.google.com 8.8.8.8
nslookup -q=TXT _netblocks3.google.com 8.8.8.8

You may need to install dnsutils on the vm instance to be able to use dnslookup.

I just tested it and got various ranges for IPv6 and IPv4. I believe this are the ranges you are searching for.

Solution 3:[3]

In order to allow SSH access from your laptop GCP console browser, you need to find your public IP address or external IP address of your LAN. You can check it in this link.Once you have your external IP address you need to create a FW to allow SSH access just from that external IP address.

Example:

gcloud compute firewall-rules create test-ssh-example \
--action allow \
--direction ingress \
--target-tags=[TAG] \ [You can specify a tag to apply this FW rule just to the VMs with the same tag. (optional)]
--rules tcp:22\
--source-ranges \
--priority 1000

With this option, only from that IP address you will be able to have SSH access to a VM instance.

Solution 4:[4]

Why don't you run the command who on your ssh session, to see where the connection is originating from?

The search the excellent Cloud Platform documentation to see if an automation to allow this already exists. Otherwise write one.

This is not the best place to do your firewalling from, as its one more configuration to keep up to date. I would recommend an application firewall, or just adding a rate limit to your existing firewall. The chances of someone logging into your servers if you use keys, is virtually 0, even with a 14 character random password, and rate limited new connections. If you use keys or a password manager (as you should), use fail2ban.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Pybe
Solution 2
Solution 3 Daniel Emiliano
Solution 4

Related Questions

How to use use Firestore document field's HashMap key value and populate recyclerview?

how to keep GKE cluster nodes in different regions?

Google Cloud TTS API for M1 Mac

Is it possible to render a video from AfterEffects in a Google Collaboratory notebook?

Allow-IAP Firewall Rule created in default VPC in GCP getting reflected in other VPC as well

Attribute Error when importing SpeechClient from google.cloud.speech

GCP Cost billing data

What is the difference between gcloud and gsutil?

Volume not persistent in Google Cloud

Permission Denied when trying to write on a TPU VM foler

Google Cloud Free Tier will start charging for static or ephemeral IP Address?

How to create a empty folder in google storage(bucket) using gsutil command?

How can size of the root disk in Google Compute Engine be increased?

Cannot switch Firestore from Datastore to native mode on GCP

action console simulator is not working and I cannot release my project