Wednesday, October 4, 2023
BeyondCorp Enterprise (BCE) GCP Juara GCP

Securing Compute Engine Applications and Resources using BeyondCorp Enterprise (BCE)


“Securing Compute Engine Applications and Resources using BeyondCorp Enterprise (BCE)”

Daftar Isi


Di lab ini, Anda akan mempelajari cara mengamankan beban kerja Compute Engine menggunakan Proxy Kesadaran Identitas BeyondCorp Enterprise untuk membatasi lalu lintas berdasarkan identitas.


Task 1: Create a Compute Engine template

  • Klik Compute Engine > Instance Templates.
  • Click Create an instance template.
  • Setup sesuai info berikut
  • Click Advanced Options
  • Click Management.
  • Pada bagian Automation > Startup script tambahkan script di bawah
# Copyright 2021 Google LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.# You may obtain a copy of the License at
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# See the License for the specific language governing permissions and
# limitations under the License.
apt-get -y update
apt-get -y install git
apt-get -y install virtualenv
git clone
cd python-docs-samples/iap
virtualenv venv -p python3
source venv/bin/activate
pip install -r requirements.txt
cat |
sed -e "s/YOUR_BACKEND_SERVICE_ID/$(gcloud compute backend-services describe my-backend-service --global--format="value(id)")/g" |
    sed -e "s/YOUR_PROJECT_ID/$(gcloud config get-value account | tr -cd "[0-9]")/g" >
gunicorn real_backend:app -b
  • click Create to create the template

Task 2: Create a Health Check

  • klik Compute Engine > Health Checks
  • Click Create Health Check
  • setup sesuai info berikut
  • klik create

Task 3: Create a Managed Instance Group

  • Klik Compute Engine > Instance Groups.
  • Click Create instance group
  • Setup sesuai info berikut
Baca Juga :  Cloud Source Repositories
  • click Create

Task 4: Get a domain name and certificate

Step 1: Create a private key and certificate

create a private key

openssl genrsa -out PRIVATE_KEY_FILE 2048

Create a CSR

  • edit ssl_config
default_bits = 2048
req_extensions = extension_requirements
distinguished_name = dn_requirements
prompt = no
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
countryName = US
stateOrProvinceName = CA
localityName = Mountain View
0.organizationName = Cloud
organizationalUnitName = Example
commonName = Test
  • Create CSR
openssl req -new -key PRIVATE_KEY_FILE \
 -out CSR_FILE \
 -config ssl_config

Using a self-signed certificate

openssl x509 -req \
 -signkey PRIVATE_KEY_FILE \
 -in CSR_FILE \
 -extfile ssl_config \
 -extensions extension_requirements \
 -days 365

Step 2: Create a self-managed SSL certificate resource

gcloud compute ssl-certificates create my-cert \
 --certificate=CERTIFICATE_FILE.pem \
 --private-key=PRIVATE_KEY_FILE \

Task 5: Create a load balancer

  • klik Network Services > Create a load balancer
  • Under HTTP(S) Load Balancing, click Start configuration.
  • Select From Internet to my VMs or serverless services and click Continue.
  • On the New Classic HTTP(S) load balancer page that appears, enter a my-load-balancer for your load balancer.
  • Click Backend configuration, then select Backend services & backend buckets > Create a backend service.
  • On the Create backend service panel, in the Name box, enter my-backend-service.
instance group: my-managed-instance-group
Port: 80
  • Under Health check, select my-health-check.
  • When you’re finished updating values, click Create. The New Classic HTTP(S) load balancer panel reappears.
  • Click Routing rules to load the default values. You don’t need to add any rules.
  • Click Frontend configuration. Use the default values except for the following:
Protocol: HTTPS

    IP address: click Create IP address

        Enter a Name to associate with your new static IP address.

        Click Reserve to reserve the static IP address.

    Certificate: my-cert
  • When you’re finished entering frontend configuration values, click Done. The New Classic HTTP(S) load balancer panel reappears.
  • Under New Classic HTTP(S) load balancer, click Create. The Load balancing page appears and your new load balancer will be created in the list of load balancers.
  • After the Cloud Console finishes creating the new load balancer, click the name of the load balancer and note the external IP address under Details > Frontend. You will need it in the next step.
Baca Juga :  Automating Infrastructure on Google Cloud with Terraform: Challenge Lab

Restart your VMs

  • Klik Compute Engine > Instance groups page.
  • Click my-managed-instance-group.
  • On the top of the instance group details that appear, click Restart/Replace VMs.
  • On the Restart/replace VMs in my-managed-instance-group page that appears, set the following values:
    Operation: Restart
    Maximum unavailable instances: 3 instances out of 3 instances
    Minimum wait time: 0 s
  • click Restart VMs

Task 6: Set up IAP

  • Klik VPC network > Firewall rules.
  • Select the checkbox next to the following rules:
  • Click Delete and select delete again to confirm it.
  • Click Create firewall rule and set the following values:
    Name: allow-iap-traffic
    Targets: All instances in the network
    Source IPv4 ranges (press Enter after you paste each value in the box):
    Protocols and ports:
        Specified protocols and ports
        select tcp and enter 80, 78
  • click Create

Set up IAP

  • klik Security > Identity-Aware Proxy
  • Click Enable API.
  • If you haven’t configured your project’s OAuth consent screen, you’ll be prompted to do so:
a. Go to the OAuth consent screen and select External as User Type. Click Create.

b. Under Support email, select the email address you want to display as a public contact. The email address must belong to the currently logged in user account or to a Google Group of which the currently logged in user belongs.

c. Enter the Application name you want to display.

d. Enter the same email address in the Developer contact information.

e. Add any optional details you'd like.

f. Click Save and Continue three times and select Back to Dashboard.
  • GO TO THE IDENTITY-AWARE PROXY PAGE and select a project. Click Go to Identity-Aware Proxy.
  • Next to my-backend-service, toggle the on/off switch in the IAP column.
  • In the Turn on IAP window that appears, select the checkbox next to “I have read the configuration requirements and configured my Compute Engine resource according to documentation.”
  • Click Turn on.
Baca Juga :  Securing Multi-Cloud Applications using BeyondCorp Enterprise (BCE)

Add principals to the access list

  • On the IAM & admin > Identity-Aware Proxy page, select the my-backend-service checkbox. Click Add Principal.
  • masukan info berikut :
    New Principals: Enter your qwiklabs account email here

    Role: IAP-secured Web App User
  • Klik save

Task 7: Test IAP

  • Klik Network Services > Load balancing page and select Frontends
  • hit external IP
curl -kvi https://Enter the ip from your load 
balancer here


Sahabat Blog Learning & Doing demikianlah penjelasan mengenai Securing Compute Engine Applications and Resources using BeyondCorp Enterprise (BCE). Semoga Bermanfaat . Sampai ketemu lagi di postingan berikut nya.

(Visited 29 times, 1 visits today)

Similar Posts