Block offending IP from Google Compute Instance - google-compute-engine

Is there a network-level IP address blocking/blacklist capability to a Google Compute Engine instance? For example, a site is hosted on a GCE instance to allow public users access. However, a malicious script runs several times/second which is not legitimate traffic. Ideally, the IP of the offending user could be placed on a block list so traffic would not be routed to the instance, rather than just server side only mechanism (apache modules, IPtables, etc) which still requires CPU/RAM/disk resources.

You can setup an HTTP load balancer for your instances, and allow traffic only from the LB IP address to your instances. More information can be found in this Help Center article.

GCP does not provide WAF natively. You can use marketplace WAF (like Brocade WAF) to block IPs.
https://cloud.google.com/launcher/solution/brocade-public-1063/stm-csub-1000-h-saf?q=brocade

This is absolutely not the recommended way to manage your firewall blacklist.
However...
In the compute GUI, you can create a firewall rule set action on match to "deny" and protocols and port to "deny all". Then set source IPs.
compute GUI
You could then run a cron job to update your firewall through gcloud compute firewall-rules update to update source IPs should your list change.
Note (from Google - https://cloud.google.com/vpc/docs/using-firewalls):
gcloud compute firewall-rules update is used to update firewall rules that allow/deny incoming/outgoing traffic. The firewall rule will only be updated for arguments that are specifically passed. Other attributes will remain unaffected. The action flag (whether to allow or deny matching traffic) cannot be defined when updating a firewall rule

Yes you can block it using Gcloud Firewall.
Try creating the firewall rule from the command line or by logging into Google Cloud.
Example:
gcloud compute firewall-rules create tcp-deny --network example-network --source-ranges 10.0.0.0/8 --allow !tcp:80
Above Rule will block the range 10.0.0.0/8 to port 80 (tcp).
Same can be done to block other IP Ranges over tcp and udp.
For more info check this: glcoud network config

Related

How to launch jupyter notebook in gcloud compute engine

I would like to use jupyter notebook from google cloud compute engine. When i try to launch it through command line, I am not able to open the notebook using my browser.
Please let me know on how to do this.
It looks like you're trying to start a Jupyter notebook server on the VM and want to access it using the external IP of the VM (assuming you have not disabled the external IP option on your VM).
You will need to do the following:
Modify jupyter_notebook_config.py in your ~/.jupyter directory. Do go through exactly what you need to modify and how to secure your notebook server since Jupyter notebook by default only listens on the loopback interface (i.e. 127.0.0.1 aka localhost).
The minimum set of configuration options that you should uncomment and
edit in jupyter_notebook_config.py is the following:
# Set options for certfile, ip, password, and toggle off
# browser auto-opening
c.NotebookApp.certfile = u'/absolute/path/to/your/certificate/mycert.pem'
c.NotebookApp.keyfile = u'/absolute/path/to/your/certificate/mykey.key'
# Set ip to '*' to bind on all interfaces (ips) for the public server
c.NotebookApp.ip = '*'
c.NotebookApp.password = u'sha1:bcd259ccf...<your hashed password here>'
c.NotebookApp.open_browser = False
# It is a good idea to set a known, fixed port for server access
c.NotebookApp.port = 9999
You will need to modify the firewall rules to allow ingress traffic to the port (on the VM) you just configured in the previous step. To do that I will recommend tag based firewall rules so that you can control which VMs the firewall rule applies to.
Network tags are used by networks to identify which instances are
subject to certain firewall rules and network routes. For example, if
you have several VM instances that are serving a large website, tag
these instances with a shared word or term and then use that tag to
apply a firewall rule that allows HTTP access to those instances. Tags
are also reflected in the metadata server, so you can use them for
applications running on your instances. When you create a firewall
rule, you can provide either sourceRanges or sourceTags but not both.
# Assuming Jupyter notebook is running on port 9999
# Add a new tag based firewall rule to allow ingress tcp:9999
gcloud compute firewall-rules create rule-allow-tcp-9999 --source-ranges 0.0.0.0/0 --target-tags allow-tcp-9999 --allow tcp:9999
# Add the allow-tcp-9999 target tag to the VM named say 'vm-1'
gcloud compute instances add-tags vm-1 --tags allow-tcp-9999
# If you want to list all the GCE firewall rules
gcloud compute firewall-rules list
It might take a few seconds to couple of minutes for the changes to take effect.
Alternatively, you can also use Google Cloud Console instead of gcloud to configure firewall rules. You can go through this answer which explains that in detail.
You can also "Create Firewall Rules" to allow your jupyter c.NotebookApp.port number.
refer this image set Protocols and ports to tcp:<jupyter port number>

Google Cloud - Adding additional Internal IP to VM

I'm trying to build a webserver in Google Cloud Platform that hosts multiple websites (GBP, IE, FR, DK etc.)
Generally, we assign a range of IPs to the server statically, set the bindings in IIS, then loadbalance using a virtual IP.
It seems near enough impossible to assign another internal IP in GCP. Lots of guides about additional external IPs, but we don't want a public facing webserver like this.
Anybody have any idea on how to add additional internal IPs to a VM / Instance?
Also, I have tried changing the internal address I have assigned to the Instance to static in network adapter settings, next thing I know I can't access my VM for love nor money, had to delete and re-create. If I go into advanced settings to add additional static IPs, w'ere set to DHCP apparently, so can't add additional IPs.
Thanks all.
Answer that I recieved from GCE discussion group, in Google Groups:
"You can add additional internal IP addresses to a VM instance. This is possible by enabling IP forwarding for the VM, creating a static network route, adding appropriate firewall rules, and setting additional internal IP addresses to network adapter of Windows. These steps are described in this article for Linux machines (https://cloud.google.com/compute/docs/networking#set_a_static_target_ip_address). The same steps are valid for Windows VMs. You will need to keep the initial internal IP address, subnet mask, gateway address and DNS settings of the adapter and manually enter them in properties of IPv4 of the network adapter. The below is a screenshot of my configuration on a VM instance (Windows 2008 R2) that perfectly works."
Update:
Now, you can create instances with multiple network interfaces On Google Compute Engine and assign IPs. For more information, refer to this public documentation link. However, currently it has following limitations:
Alias IP ranges are not supported on any network interface on a VM
that has multiple network interfaces enabled.
You cannot modify or delete the network interfaces after the VM has
been created.

Multiple IP addresses on a single Google Compute Engine instance

I'm trying to have my GCE instance listen on multiple IP addresses (for SEO reasons - to host multiple low traffic sites on the same instance).
Final objective: mydomain.com points to IP1, myotherdomain.es points to IP2, the GCE instance will listen on both IP1 and IP2 and serve content accordingly.
I added a target instance pointing to my main instance and managed to create a forwarding rule like this:
gcloud compute forwarding-rules create another-ip --port 80 --target-instance MY_TARGET_INSTANCE_URL
It actually created an ephemeral IP address; I tried to promote it to static but I exceeded my quota (I'm currently on my 2 months free trial).
Is this correct though? Will I be able to create any number of static IPs and point them to my only instance once the trial ends? I also couldn't find anything about pricing: I know an IP assigned to an active instance is free, but what about additional ones?
Since this is a necessary configuration for a site I'm managing, I'd like to be sure it works before committing to moving everything on GCE.
You can get multiple external IPs for one VM instance with forwarding rules.
By default, VM will be assigned with an ephemeral external IP, you can promote it to static external IP, which will remain unchanged after stop and restart.
Extra external IPs have to be attached to forwarding rules which point to the VM. You can use (or promote to) static IPs as well.
The command you may want to use:
Create a TargetInstance for your VM instance:
gcloud compute target-instances create <target-instance-name> --instance <instance-name> --zone=<zone>
Create a ForwardingRule pointing to the TargetInstance:
gcloud compute forwarding-rules create <forwarding-rule-name> --target-instance=<target-instance-name> --ip-protocol=TCP --ports=<ports>
See Protocol Forwarding.
I am also need 2 static ips for one compute engine instance but google's quota is not allow this.
You can see your quotas from https://console.cloud.google.com/iam-admin/quotas
An other possibility is to have multiple network interface on the VM
This require adding a new VPC network, the ip 10.130.0.0/20 is not used on the current infrastructure and can be used as an additional network, you would add the proper firewall rules and the proper routing rules (you can copy the default one to avoid any miss-configuration)
Note that you can not add a network interface to an existing machine, you would need to
Turn off the current machine
Detach disk and network (without deleting them !!!)
Create a new machine with 2 network cards or more
Attach the old disk and network to the new machine
Finally you would need to pay attention to the default gateway, the classic network behavior would make everything go through the first network interface the second won't be accessible until you change the default gateway and or create the proper routing rules.
Typically you have eth0 and eth1 this example makes eth1 available to services that bind to eth1
ip addr add 10.130.0.2/32 broadcast 10.130.0.2 dev eth1
ip link set eth1 up
ip route add 10.130.0.1 src 10.130.0.2 dev eth1
ip route add 10.130.0.1 src 10.130.0.2 dev eth1 table 100
ip route add default via 10.130.0.1 dev eth1 metric 10
ip route add default via 10.130.0.1 dev eth1 table 100
ip rule add from 10.130.0.2/32 table 100
ip rule add to 10.130.0.2/32 table 100
curl --interface eth1 ifconfig.co
curl --interface eth0 ifconfig.co
ping -I eth1 8.8.8.8
Here is the documentation, alternatively this guide may help.

Google Compute Engine - How to allow access from (only) other project instances?

With Google Compute Engine, how do I create a firewall rule so that only instances within the same project are allowed access? Access from other clusters (within same project) should be allowed.
The scenario is to allow a GKE cluster to access a cluster of RethinkDB database servers that run on GCE instances.
"So that only instances within the same project are allowed access" to what?
I assume you don't mean access to the cluster's apiserver, since that IP should already be accessible from all your instances.
If you mean accessing a container in a cluster from an instance outside the cluster, you can create a firewall rule to be more permissive about allowing traffic within your GCE network. You can either be very permissive or a little more fine-grained when doing this:
Very permissive - just create a firewall rule that allows traffic from the source IP range 10.0.0.0/8 to all instances in your network (don't add any "target tags") on all the protocols and ports your care about (e.g. tcp:1-65535,udp:1-65535,icmp). The 10.0.0.0/8 range will cover all instances and containers in your network (and nothing outside of it).
Separate firewall per cluster - do the same thing as number one, but add the target tag that's on all nodes in the cluster. You can get this from looking at one of the instances' tags or by looking at the target tags on the firewalls that GKE created for your cluster when it was created. The benefit of this approach is that it will let everything in your network talk to your cluster without exposing anything else in your network that you don't want to open up quite so much.
If you mean accessing a service from outside the cluster, then it's a little tougher since you need to run the kube-proxy on the instances outside the cluster and configure it to talk to the cluster's apiserver in order to route the service packets properly.
Turns out the problem was that I was accessing the RethinkDB instances via external IPs. For some reason, this causes the firewall rule with internal source IPs not to match. The solution was to access the instances via internal DNS names instead, in which case the firewall rule applies.
Furthermore, there is a default firewall rule already, default-allow-internal, which allows any traffic between instances on the same project. Therefore I do not need to create my own rule.

On a google compute engine VM, is it possible to have a direct public ip instead of being behind a NAT?

Is it possible to have a public ip with direct access instead of being in NAT in a google compute engine virtual machine?
Thank you in advance.
You can have an external IP but by default the instance will have a NAT policy. If you need non-NAT'ed traffic, what you are looking for is a target instance because as stated in the documentation:
Target instances do not have a NAT policy applied to them.
After that, you can create forwarding rules to send traffic to your instance.
I hope it helps.
Static external IP addresses can be assigned to a compute engine VM.
You reserve a static external IP address in gcloud or through the API. After reserving the address, assign it to an instance during instance creation or to an existing instance. You will have to update the firewall to allow traffic on the port you want.
More info in the docs at:
https://cloud.google.com/compute/docs/instances-and-network#reservedaddress