Deny outgoing traffic on Google Cloud VM, but allow access to Cloud Storage

0
votes

On Google Cloud I have a VM that I would like almost completely cut-off from the internet (due to security reasons). I know I can cut if off via both iptables and Cloud Firewall rules, including outgoing traffic.

However, I still require the VM to read and write data to a Cloud Storage bucket - which of course uses HTTPS and (fairly) random external IP:s.

Any way to allow Cloud Storage access, but deny everything else that is outgoing?

So far I figured I can probably setup a HTTPS proxy that only allow access to certain domains, but it feels like a bit of a hack (plus require another service).

1
google-cloud-platformgoogle-cloud-storagegoogle-cloud-networking

1 Answers

2
votes

Turns out that you can (not sure since when, I haven't seen this feature before) configure "Private Google Access" which looks to fit my use case.

From the documentation:

Private Google access enables virtual machine (VM) instances on a subnetwork to reach Google APIs and Services using an internal IP address rather than an external IP address. External IP addresses are routable and reachable over the Internet. Internal (private) IP addresses are internal to Google Cloud Platform and are not routable or reachable over the Internet. You can use Private Google access to allow VMs without Internet access to reach Google services.

The how-to is too long to fit in a Q&A, but the Configuring Private Google Access page should work (Google tend to be quite good at not changing their documentation URLs).

You can tag a subnet that it should allow "private ip google access" using:

gcloud compute networks subnets update subnet-a \
    --enable-private-ip-google-access

Description of this parameter from the docs:

 --enable-private-ip-google-access
    Enable/disable access to Google Cloud APIs from this subnet for
    instances without a public ip address.