How to work with Private Virtual Machine instances in GCP?

Reading Time: 5 minutes

Hello Folks, In this blog, we’ll see How to work with Private Virtual Machine instances in GCP? when we create a VM instance that doesn’t have an external IP address in google cloud.

However, VM instances without external IP addresses are isolated from external networks. Using Cloud NAT, these instances can access the internet for updates and patches, and in some cases, for bootstrapping. As a managed service, Cloud NAT provides high availability without user management and intervention..

Create a VPC network and firewall rules:

  • In the Cloud Console, on the Navigation menu, click VPC network > VPC networks.
How to work with Private Virtual Machine instances in GCP?
  • Click Create VPC network.
  • For Name, type privatenet.
  • For Subnet creation mode, click Custom. (10.130.0.0/20)
  • Click Done.
  • Click Create and wait for the network to be created
How to work with Private Virtual Machine instances in GCP?

NOTE: Don’t enable Private Google access yet!

  • In the left pane, click Firewall.
  • Click Create firewall rule.
  • select the network privatenet and Targets All instances in the network
  • for ipv4 ranges: 35.235.240.0/20
How to work with Private Virtual Machine instances in GCP?

NOTE: In order to connect to your private instance using SSH, you need to open an appropriate port on the firewall. IAP connections come from a specific set of IP addresses (35.235.240.0/20). Therefore, you can limit the rule to this CIDR range.

Create the VM instance with no public IP address

type the name for the instance and After that, for Subnet creation mode, click Custom

  • Name : vm-internal, Region:us-central1, Zone:us-central1-c, Series:N1,
  • Machine type:n1-standard-1 (1vCPU, 3.75 GB memory), Boot diskDebian GNU/Linux 10 (buster)
  • Click Management, security, disks, networking, sole tenancy.
  • Click Networking.
  • For Network interfaces, click the pencil icon to edit.
  • Specify the following, and leave the remaining settings as their defaults: PropertyValue (type value or select option as specified)Network privatenet, Subnetworkprivatenet-us, External IP: None
How to work with Private Virtual Machine instances in GCP?

SSH to vm-internal to test the IAP tunnel

  • In the Cloud Console, click Activate Cloud Shell.
  • If prompted, click Continue.
  • To connect to vm-internal, run the following command:
gcloud compute ssh vm-internal --zone us-central1-c --tunnel-through-iap

To test the external connectivity of vm-internal, run the following command:

ping -c 2 www.google.com

Enable Private Google Access

So, VM instances that have no external IP addresses can use Private Google Access to reach external IP addresses of Google APIs and services. By default, Private Google Access is disabled on a VPC network.

Create a Cloud Storage bucket

Create a Cloud Storage bucket to test access to Google APIs and services.

  • on the Navigation menu, click Storage > Browser.
  • Click Create bucket.
  • Specify the following, and leave the remaining settings as their defaults: PropertyValue (type value or select option as specified)NameEnter a globally unique name, location type: Multi-region
  • Click Create.
  • Note the name of your storage bucket for the next subtask. It will be referred to as [my_bucket].

run the following command, replacing [my_bucket] with your bucket’s name:

gsutil cp gs://cloud-training/gcpnet/private/access.svg gs://[my_bucket]

 try to copy the image from your bucket, run the following command, replacing [my_bucket] with your bucket’s name:

gsutil cp gs://[my_bucket]/*.svg .

To connect to vm-internal, run the following command:

gcloud compute ssh vm-internal --zone us-central1-c --tunnel-through-iap

To try to copy the image to vm-internal, run the following command, replacing [my_bucket] with your bucket’s name:

gsutil cp gs://[my_bucket]/*.svg .

Enable Private Google Access

Private Google Access is enabled at the subnet level. When it is enabled, instances in the subnet that only have private IP addresses can send traffic to Google APIs and services through the default route (0.0.0.0/0) with a next-hop to the default internet gateway.

  • Similarly, In the Cloud Console, on the Navigation menu, click VPC network > VPC networks.
  • Click privatenet to open the network.
  • After that, Click privatenet-us to open the subnet.
  • Click Edit.
  • For Private Google access, select On.
  • Click Save.

In Cloud Shell for vm-internal, to try to copy the image to vm-internal, run the following command, replacing [my_bucket] with your bucket’s name:

gsutil cp gs://[my_bucket]/*.svg .

To return to your Cloud Shell instance, run the following command:

exit

Although vm-internal can now access certain Google APIs and services without an external IP address, the instance cannot access the internet for updates and patches. Configure a Cloud NAT gateway, which allows vm-internal to reach the internet.

Configure a Cloud NAT gateway:

Cloud NAT is a regional resource. You can configure it to allow traffic from all ranges of all subnets in a region, from specific subnets in the region only, or from specific primary and secondary CIDR ranges only.

sudo apt-get update

To connect to vm-internal, run the following command:

gcloud compute ssh vm-internal --zone us-central1-c --tunnel-through-iap
  • Similarly, In the Cloud Console, on the Navigation menu, click Network services > Cloud NAT.
  • Click Get start to configure a NAT gateway.
  • Specify the following:PropertyValue (type value or select option as specified)Gateway namenat-configVPC networkprivatenetRegionus-central1
  • For Cloud Router, select Create new router.
  • For Name, type nat-router
  • Click Create.

Configure and view logs with Cloud NAT Logging

Enabling logging

If logging is enable, all collected logs are sent to Cloud Logging by default. You can filter these so that only certain logs are sent.

  • In the GCP Console, on the Navigation menu, click Network services > Cloud NAT.
  • Click on the nat-config gateway and then click Edit.
  • Click the Advanced configurations dropdown to open that section.
  • Under Stackdriver logging, select Translation and errors, and then click Save.

Viewing Logs

  • Return to your NAT Logging tab and under Configure dropdown, select Show newest logs first.
  • You should see two new logs that were generate after connecting to the internal VM.

Conclusion:

Therefore, we’ve seen how we can work with private virtual machine instances using private google access, and to access the internet, how we can enable and view logging by the gcp service Cloud NAT.

Thanks for reading!

Written by 

A curious DevOps Intern , love to learn and working on technical skills/tools, know the basics of Linux, Docker, Ansible , Kubernetes and more..