forked from TechieZilla/Qwiklabs
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Build and Secure Networks in Google Cloud : Challenge Lab [GSP322]
45 lines (23 loc) · 2.38 KB
/
Build and Secure Networks in Google Cloud : Challenge Lab [GSP322]
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
GSP322 : Build and Secure Networks in Google Cloud: Challenge Lab :-
----------------------------------------------------------------------------------------------------------------------------------------------
Task 1 : Remove the overly permissive rules :-
gcloud compute firewall-rules delete open-access
----------------------------------------------------------------------------------------------------------------------------------------------
Task 2 : Start the bastion host instance :-
// Goto Compute Engine and start "Bastion" instance.
----------------------------------------------------------------------------------------------------------------------------------------------
Task 3 : Create a firewall rule that allows SSH (tcp/22) from the IAP service and add network tag on bastion :-
gcloud compute firewall-rules create ssh-ingress --allow=tcp:22 --source-ranges 35.235.240.0/20 --target-tags ssh-ingress --network acme-vpc
gcloud compute instances add-tags bastion --tags=ssh-ingress --zone=us-central1-b
----------------------------------------------------------------------------------------------------------------------------------------------
Task 4 : Create a firewall rule that allows traffic on HTTP (tcp/80) to any address and add network tag on juice-shop :-
gcloud compute firewall-rules create http-ingress --allow=tcp:80 --source-ranges 0.0.0.0/0 --target-tags http-ingress --network acme-vpc
gcloud compute instances add-tags juice-shop --tags=http-ingress --zone=us-central1-b
----------------------------------------------------------------------------------------------------------------------------------------------
Task 5 : Create a firewall rule that allows traffic on SSH (tcp/22) from acme-mgmt-subnet network address and add network tag on juice-shop :-
gcloud compute firewall-rules create internal-ssh-ingress --allow=tcp:22 --source-ranges 192.168.10.0/24 --target-tags internal-ssh-ingress --network acme-vpc
gcloud compute instances add-tags juice-shop --tags=internal-ssh-ingress --zone=us-central1-b
----------------------------------------------------------------------------------------------------------------------------------------------
Task 6 : SSH to bastion host via IAP and juice-shop via bastion :-
// In Compute Engine -> VM Instances page, click the SSH button for the bastion host. Then SSH to juice-shop by :-
ssh [Internal IP address of juice-shop]