Solution To Build and Secure Networks in Google Cloud: Challenge Lab

Posted on by

Solution To Build and Secure Networks in Google Cloud: Challenge Lab

Disclaimer: Please this blog was meant for those who have gotten stuck whilst taking the third challenge lab on the Qwiklabs Platform. You can also read this before you take the lab too, no problem, but please do keep in mind you’ve to understand all the concepts as you go through the lab.

Let’s set the ball rolling

1.Remove the overly permissive rules

gcloud compute firewall-rules delete open-access

2.Start the bastion host instance

In this step, you have a virtual machine and want to start.

  • In the GCP Console go to Navigation Menu >Compute Engine > VM Instance.
  • Click on the box next to the instance named bastion.
  • Click on Start to run the instance.

3.Create a firewall rule that allows SSH (tcp/22) from the IAP service and add network tag on bastion

In this step, you have to create a firewall rule that allows SSH (tcp/22) from the IAP service.

Add network tag on bastion VM.

  • Go to the VM Instance page, click on the bastion instance and click the Edit option
  • Now Add bastion to the Network tags field.
  • At the end of the page click Save.

Now you have to create a firewall for bastion

gcloud compute firewall-rules create ssh-ingress --allow=tcp:22 --source-ranges 35.235.240.0/20 --target-tags [NETWORK TAG-1] --network acme-vpc

gcloud compute instances add-tags bastion --tags=[NETWORK TAG-1] --zone=us-central1-b

Replace the “[NETWORK TAG]” with the network tag provided in the lab.

4. Create a firewall rule that allows traffic on HTTP (tcp/80) to any address and add network tag on juice-shop

In this step, you have to create a firewall rule that allows traffic on HTTP (tcp/80) to any address.

  • In the GCP Console go to Navigation Menu >VPC Network > Firewall.
  • Click Create firewall rule.
gcloud compute firewall-rules create http-ingress --allow=tcp:80 --source-ranges 0.0.0.0/0 --target-tags [NETWORK TAG-2] --network acme-vpc

gcloud compute instances add-tags juice-shop --tags=[NETWORK TAG-2] --zone=us-central1-b

5.Create a firewall rule that allows traffic on SSH (tcp/22) from acme-mgmt-subnet network address and add network tag on juice-shop

In this step, you have to create a firewall rule that allows traffic on SSH (tcp/22) from acme-mgmt-subnet network address.

  • In the GCP Console go to Navigation Menu >VPC Network.
  • Copy the IP address of the aceme-mgmt-subnet.
  • In the GCP Console go to Navigation Menu >VPC Network > Firewall> Firewall Rules.
  • Click Create firewall rule.
gcloud compute firewall-rules create internal-ssh-ingress --allow=tcp:22 --source-ranges 192[dot]168[dot]10[dot]0/24 --target-tags [NETWORK TAG-3] --network acme-vpc

gcloud compute instances add-tags juice-shop --tags=[NETWORK TAG-3] --zone=us-central1-b

6.SSH to bastion host via IAP and juice-shop via bastion

After configuring the firewall rules, try to verify the environment via the bastion.

  • In the GCP Console go to Navigation Menu >Compute Engine > VM Instance.
  • Copy the Internal IP of the juice-shop instance.
  • Then click on the SSH button in the row of the bastion instance.
  • From the SSH console, access the juice-shop from the bastion using the following command:
ssh <internal-IP-of-juice-shop>

Note:Replace with Internal IP

Image description

Congratulations! Done with the challenge lab.