I use public cloud every day, I wish there was an Open Source Cloud mananged by Apache or similar but alas we have what we have, for now. So I use AWS, GCP, Azure and more and this post is about the Google Cloud Identity Aware Proxy and a recent issue I had.
Protecting your data in the cloud should always be your first priority, and to acheive this in GCP one of my methods is to implement the Google Cloud Healthcare Data Protection Suite. It can be a little rough at first due to little documentation, but I have implemented it enough now to know how to use it and how to extend it to meet specific organizational requirements. Dive in, it’s good stuff.
I was thinking of posting some tips on the Data Protection Suite over time and here is my first.
So an error message you may see after implementation is:
Connection via Cloud Identity-Aware Proxy Failed Code: 1006 Please ensure you can make a proper https connection to the IAP for TCP hostname: https://tunnel.cloudproxy.app
To correct this you need to navigate to the host project for your shared VPC that has been deployed by the Data Protection Suite and enable the IAP address range to have port 22 access. This step will not allow external access to your data but allows the use of various GCP tools within the shared VPC.
When you have the host project open in your GCP Console go to => VPC network => Firewall rules => Create Firewall Rule, and then add the following rule, obviously adhering to your own naming conventions as required:
Name: allow-ingress-from-iap Direction of traffic: Ingress Target: All instances in the network Source filter: IP ranges Source IP ranges: 126.96.36.199/20 Protocols and ports: select TCP and enter 22 to allow SSH