Get startedGet started for free

Lab Review: Implement Private Google Access and Cloud NAT

1. Lab Review: Implement Private Google Access and Cloud NAT

In this lab, you created an instance with no external IP address and access it using Cloud IAP. You then enable Private Google Access and configured a NAT gateway and verified that vm-internal can access Google APIs and services and other public IP addresses. VM instances without external IP addresses are isolated from external networks. Using Cloud NAT, these instances can access the Internet for updates and patches, and in some cases for bootstrapping. As a managed service, Cloud NAT provides high availability without user management and intervention. Let me walk you through the lab. Now, remember that the GCP user interface can change. So your environment might look slightly different. So the first thing I'm going to do is create the VM instance. After that, we are also going to have to create a VPC network and some firewall rules. So let me go to navigation menu, scroll down to VPC networks. We're going to create a network and call it privatenet. So I'm going to name it privatenet, keep this subnet creation mode as custom. We're just going to create one subnet in here. We're going to call it privatenet-us. Let's place this in the us-central1 region, as given to us in the instructions. Here we go, and we even have an IP address range for that. Now, we are going to enable Private Google Access later. So you want to keep that off for now. I turned it on by accident. So you can see the effect of it being off. So let me click "Done" and click "Create". Now, I'm going to wait for this network to be created and once it's up and running, we're going to add a firewall rule because we want to allow SSH to the instance that we're going to put on this network. So I can see the network here. A firewall rule is created for networks, so I had to wait for that to be ready. So let me go to firewall rules, create firewall rule, give it a name. Specify that the network is privatenet. Let's just do all instances and sort by IP ranges. Now, rather than just saying, "Hey, you can SSH this instance from anywhere," we are actually going to give it a very specific range. This is because we're using Cloud IAP. So we're going to use a Cloud IAP tunnel, and because of that, we can limit the site range. Now, this is for an SSH connection. So I want to enable TCP port 22, and then click "Create". While this is creating, I can go ahead and create my Compute Engine instance. So let's go to "Compute Engine", click "Create". We're going to give it the name vm-internal. Now, we need to make sure we choose a region for which we've created a subnet. So us-central1, so us-central1-c. I can keep them machine type as my standard, n1-standard-1, 1virtualCPU, and I'm going to scroll down. The important thing is I need to select the actual VPC networks. Let's go to networking. Networking again, we're going to edit the network interfaces. I want to select the privatenet network. It only has one subnet, and I'm going to set the external IP address to none. Click "Done" and click "Create". So this is a way to create a private instance. Let me close this. That has no external IP address. Now, when the instance comes up, you will see that we won't be able to directly SSH to it because it doesn't have an external IP address. So if we use this, this wouldn't work on us, so instead what we're going to use is, we're going to do an IAP tunnel. For that, we're going to open Cloud Shell. So let me go click "Activate Cloud Shell", and that popped up in a new window. That can certainly happen sometimes. Looks like there's some A, B testing going on here. So here I have Cloud Shell, doesn't look like it has the correct project set. So let's actually do that. I'm going to set the project and then just grab the project ID from here, and set this up for the correct project, and there we can see that now. So it's setup, and now what I'm going to do is, I'm going to run the command to SSH from here. I'm going to specify this is through IAP, and then I want to confirm. For passphrase, we're just going to hit "Enter" and then "Enter" again. Once this is complete, we should now see that the command prompt has changed to vm-internal. So we're now in vm-internal, it doesn't have an external IP address, but let's confirm that we can't just ping the World Wide Web. This ping command isn't working because vm-internal does not have an external IP address. So we can wait for this to complete and it's failing. Again, when instances don't have external IP addresses, they can only be reached by other instances on the network, either through a managed VPN gateway or Cloud IAP tunnel, and Cloud IAP enables contexts where access to VMs through SSH and RDP without a bastion host. That would be the other idea or option. We could create a bastion host, but that would still have an external IAP. Then we're just using the bastion host to then connect to this. Instead, we can just use Cloud Shell and IAP. So this isn't working. So what we're going to now is we're going to look into Private Google Access. So currently, VM instance with no external IP address can use Private Google Access to reach external IP addresses of Google APIs and services. But by default, this is disabled. We saw that earlier, we left it as disabled. So let's test the effect of this being disabled. I'm going to go to the navigation menu, and we're going to create a cloud storage bucket. So let's go to "Storage". I'm going to click "Create Bucket". Now, the most difficult piece is you need to have a unique bucket name. You could do that by grabbing the ID of a project. Click Continue, you can leave this as Multi-region, we can leave everything else by default, and just click Create. The important thing is you're going to have to remember that bucket names, so here's the bucket. So I'm going to do now, is I'm going to go back to Cloud Shell. Importantly, I'm still in my VM Instance here. So I want to change that, so let me exit out of here. So now I'm back in Cloud Shell and then I'm going to run a command to copy an image from a public bucket to my bucket, but I need to specify what my bucket is. So I can take the name of the bucket and add that here to copy this image, so that worked. We can go in here and refresh to verify that we now have an image in here. You can actually click on this image and this just shows you how Private Google Access is implemented pending if it's on or off for a network. We're going to explore that a little bit more. So now what we're going to do is, we're going to now try to copy this image, first from Cloud Shell. Well, Cloud Shell has an external IP address, so that is going to work, run that. I need to actually click Enter. Obviously, I didn't specify my bucket, that is on me. So I need to change my bucket, so typical error that you might see. Let me grab the name of the bucket, placed it in there. Let's try that again, okay, that works. We even use Cloud Shell to move this image anyway, so we're able to access Cloud Storage currently through Cloud Shell. Let's go back to our VM internal. So we use the same command use earlier to SSH through a IAP tunnel. Here, I can see the command prompt changed. Now, I'm just going to copy the same command here to copy this image, so I don't have to change the bucket name a couple times, and we're going to run that. We should see that this does not work, because currently VM internal can only send traffic within the VPC networks because again, Private Google Access is disabled. So with two options, we can wait for this to fail and give us an error or we can use Control C to just stop the request. So let's actually just stopped this. What we do now is I'm going to able Private Google Access. So let's go back to the Cloud Console, the Navigation menu and I'm going to navigate to my VPC network, specifically privatenet. Private Google Access is enabled at the subnet level. So I'm going to go directly to the subnet, click the Edit icon, scroll down and able Private Google Access or set it to on, click Save. I'm going to wait for this to update and then I'm going to come back to my instance, my SSH lessons through Cloud Shell and just try to run the command again. So it looks like it's all set, you can also see that here. Going back to my SSH window, run that command again, and now it works. So that's how easy it is to enable Private Google Access. So now in this last task of the lab, we're going to configure a Cloud NAT gateway. Now although our Instance here, VM internal can now access certain Google APIs and services without an external IP address, the instance cannot access the Internet for updates and patches. So for that, we're going to configure our Cloud NAT gateway, but again, we're going to try this behavior first without the NAT gateway and then we're going to enable it. So what we're going to do is I'm going to exit here to just get to my Cloud Shell Instance. There we go, you can see the command prompt changed to Cloud Shell. I'm just going to run sudo apt-get update, and that should obviously work for my Cloud Shell instance because it has an external IP address. So we can see it's getting all these packages and that is working just fine. So now that's complete, we're going to use the SSH command again using the IP tunnel to get to VM internal, there we can see this change. Now we're going to run the same command here. You might say, "Well, hold on." It's actually able to get some of these packages. Yes, that's because we've enabled Private Google Access, so it's able to get those within Google. Once it's trying to get something else here, it's failing. So we can just stop that, this is not going to happen. Now we're going to go ahead and configure Cloud NAT gateway and then try to run that command again. So let's go to the Cloud Console and under the Navigation menu, we're going to go to Network services and Cloud NAT. We're going to go click Get started, just give this a name called nat-config. It's just a name that we have in the lab instructions. You really want to follow these lab instructions because any of our labs that are scored, we'll use names that we're defining in the lab instructions. So important distance to be on privatenet, Region is us-central1. For Cloud Router, we currently don't have one, so we're going to go create one. This is super simple, you just give it a name and click Create. Now, there's also a NAT mapping section and this allows you to choose the subnets to map to the NAT gateway, so you could manually assign static IP addresses that should be used when performing that. But in this case, we're not going to go that and get that fancy, we're just going to click Create. We're going to wait now for the gateway status to change to running. So we can see that the status changed to running, it actually only took a couple seconds. Now, even though this is running, it may actually take up to three minutes for the NAT configuration to propagate all the way to the VM. So you want to wait at least a minute before trying to access the Internet again. What I mean by that is in our SSH session that we currently still have to VM internal, we're going to run the command again. I want to make sure it works this time. So I could actually just try it right now and see if it's ready or not. If I do, you see it's still failing at the step. So let me hit Control C and let's get a couple more minutes and then try to run the command again. So we've waited a couple minutes, let's try to run the command one more time and now we can see that's working. It's getting all the packages and with that we can confirm that Cloud NAT decline a gateway is not working. Now, couple of things to remember, the Cloud NAT gateway implements outbound net, but not inbound net. In other words, what that means is that hosts outside of your VPC network, can only respond to connections initiated by your instances. They cannot initiate their own. So new connections to your instances via the net, so keep that in mind. The other thing is in this lab we used IAP, and IAP uses your existing project roles and permissions when you connect to VM instances. So by default, instance owners, which your instance owner since you created this instance. They're the only ones that have the IAP secure tunnel user role. If you want to allow other users to connect to access using VM, using IP tunneling, you need to grant them those roles. You can actually do that directly through the Navigation menu and go to Cloud IP, and just give people those roles. That's the end of the lab.

2. Let's practice!

Create Your Free Account

or

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.