-1

As per title, for example if I disable SSH access into VM on GCP, but someone wants to remotely manage VMS , build docker containers or manage Cloud storage objects what they have to do?

  1. Grant people access to use Google Cloudshell
  2. Config VPN connection to GCP to allow SSH access to Cloud vms.

My though:

  1. If people asks for remote access to vm just like SSH, so if machine still has external IP, they can access SSH using Cloud shell
  2. Option 2 is possible if they mention external IP is removed but it seems like that is not the case.
Dave M
  • 4,494
  • 21
  • 30
  • 30
infotechsups
  • 3
  • 1
  • 2

1 Answers1

0

If you want containers on GCP, consider Kubernetes Engine. GKE uses kubectl as its interface to the cluster, as allowed by users roles in IAM. No one needs to ssh into the cluster nodes.

SSH is the only good way get a shell on a GCP Linux instance. Access is controlled in two ways:

  1. Who has the private SSH key associated with the public keys in the project and instance.
  2. Firewall rules controlling ingress ssh traffic, by GCP instance tag or source range.

Only give operations the prod ssh keys. Developers and other users don't get a shell, they use your deployment scripts and remote monitoring.

Note that if you use cloud shell, you need a route from it to your VPC. That could be through your Internet access, which poses a challenge if you remove public IP.

Finally, GCP instances can have a serial console, but its auth is the SSH keys and there is no IP restrictions. You need this to fix an instance without SSH, buts it is strictly worse as access control for users.

John Mahowald
  • 30,009
  • 1
  • 17
  • 32