问题
I need to prevent users from accessing the site through the External IP Address on Compute Engine, they should can access site only via domain name (www.some-domain.com), not the IP Address itself.
Let says the instance's IP Address of the Compute Engine is A.A.A.A. I am using Load Balancer to redirect it to secure connection, with these settings:
- Frontend
- HTTP : B.B.B.B:80
- HTTPS : B.B.B.B:443
- Backend
- Redirected to the active instance
And I pointing the DNS (A) to B.B.B.B.
Now, I am able to access https://www.some-domain.com. But the problem is, I still can access the site with A.A.A.A and B.B.B.B.
This is my current firewall configuration:
How to prevent this? Thanks.
回答1:
Your problem is very similar to configuring the Google Identity Aware Proxy, which is part of the Google Beyond Corp architecture and, providing your users have Google IDs is very effective.
The docs explain the process for setting up the IAP but it also helps explain how to configure the moving parts. You need to:
- Set your A record on your DNS to the public front-end of your load balancer
- Configure your firewall rule on your GCE instance to not permit any traffic from the Internet, but only allow from the load balancer. The load balancer has a helpful graphic to show the rules.
- Configure your load balancer back end to direct traffic from your front-end to the GCE instance. I have TLS over the internet to the LB and then HTTP from the LB to my instance but you don't have to
Your load balancer will then take the HTTP/S traffic and forward to the back end using the forwarding rule that you set up when configuring it. If you try to go to the instance IP directly then the firewall will block you, for testing you can enable an allow from your client IP and then you will see that you don't get the headers
回答2:
Well, there are a couple of things you can do:
1- Remove External IP from VM instance
2-Create specific firewall rule to only allow access to an specific subnet range
Let me elaborate:
For 1:
Using web console, You only need to edit the VM details, go to network interfaces settings and choose none over External IP drop menu, save the new configuration. All of this can be done without stop the VM instance.
For 2:
Create a couple of firewall rules with the same configuration from default-allow-http and default-allow-https, but at "Filter" you need to specify the "public" subnet range you want to allow (your data center range for example). These new firewall rules must have a lower value at priority to have more preference over the existing ones. Once you validate is working properly you can delete the old ones Video GCP Firewall.
I hope that helps, if you need more assistance just write me a comment
回答3:
here's how I fixed this issue:
- In your GCP Account.
- Go to VPC Networks then to Firewall rules
- You need to create 2 Firewall rules:
1) Allow all traffic coming from google health checks and your own load balancer.
- Priority: 500
- Direction: Ingress
- Action on match: Allow
- Target tags:if you want to apply this rule only to 1 instance, then, open the VM Instance, edit it, create the specific network target tag, save it and then, add it here.
- IP ranges: 35.191.0.0/16 and 130.211.0.0/22 https://cloud.google.com/load-balancing/docs/https#source_ip_addresses
2) Deny all traffic.
- Priority: 900
- Direction: Ingress
- Action on match: Deny
- Target tags: put here the same network target tag(s).
- IP ranges: 0.0.0.0/0
That's it. If you put the IP of the VM Instance in the your browser, it will fail. The access will be forced through the Load Balancer.
In the GCP project menu
来源:https://stackoverflow.com/questions/57355533/how-to-prevent-public-access-to-compute-engine-external-ip-address