Securing Compute Engine Applications and Resources using BeyondCorp Enterprise (BCE)

admin

2 years ago

“Securing Compute Engine Applications and Resources using BeyondCorp Enterprise (BCE)”

Daftar Isi

Toggle

Pengantar

Di lab ini, Anda akan mempelajari cara mengamankan beban kerja Compute Engine menggunakan Proxy Kesadaran Identitas BeyondCorp Enterprise untuk membatasi lalu lintas berdasarkan identitas.

Praktikum

Task 1: Create a Compute Engine template

Klik Compute Engine > Instance Templates.
Click Create an instance template.
Setup sesuai info berikut

Click Advanced Options
Click Management.
Pada bagian Automation > Startup script tambahkan script di bawah

# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apt-get -y update
apt-get -y install git
apt-get -y install virtualenv
git clone https://github.com/GoogleCloudPlatform/python-docs-samples
cd python-docs-samples/iap
virtualenv venv -p python3
source venv/bin/activate
pip install -r requirements.txt
cat example_gce_backend.py |
sed -e "s/YOUR_BACKEND_SERVICE_ID/$(gcloud compute backend-services describe my-backend-service --global--format="value(id)")/g" |
    sed -e "s/YOUR_PROJECT_ID/$(gcloud config get-value account | tr -cd "[0-9]")/g" > real_backend.py
gunicorn real_backend:app -b 0.0.0.0:80

click Create to create the template

Task 2: Create a Health Check

klik Compute Engine > Health Checks
Click Create Health Check
setup sesuai info berikut

klik create

Task 3: Create a Managed Instance Group

Klik Compute Engine > Instance Groups.
Click Create instance group
Setup sesuai info berikut

click Create

Task 4: Get a domain name and certificate

Step 1: Create a private key and certificate

create a private key

openssl genrsa -out PRIVATE_KEY_FILE 2048

Create a CSR

edit ssl_config

[req]
default_bits = 2048
req_extensions = extension_requirements
distinguished_name = dn_requirements
prompt = no
[extension_requirements]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[dn_requirements]
countryName = US
stateOrProvinceName = CA
localityName = Mountain View
0.organizationName = Cloud
organizationalUnitName = Example
commonName = Test

Create CSR

openssl req -new -key PRIVATE_KEY_FILE \
 -out CSR_FILE \
 -config ssl_config

Using a self-signed certificate

openssl x509 -req \
 -signkey PRIVATE_KEY_FILE \
 -in CSR_FILE \
 -out CERTIFICATE_FILE.pem \
 -extfile ssl_config \
 -extensions extension_requirements \
 -days 365

Step 2: Create a self-managed SSL certificate resource

gcloud compute ssl-certificates create my-cert \
 --certificate=CERTIFICATE_FILE.pem \
 --private-key=PRIVATE_KEY_FILE \
 --global

Task 5: Create a load balancer

klik Network Services > Create a load balancer
Under HTTP(S) Load Balancing, click Start configuration.
Select From Internet to my VMs or serverless services and click Continue.
On the New Classic HTTP(S) load balancer page that appears, enter a my-load-balancer for your load balancer.
Click Backend configuration, then select Backend services & backend buckets > Create a backend service.
On the Create backend service panel, in the Name box, enter my-backend-service.

instance group: my-managed-instance-group
Port: 80

Under Health check, select my-health-check.
When you’re finished updating values, click Create. The New Classic HTTP(S) load balancer panel reappears.
Click Routing rules to load the default values. You don’t need to add any rules.
Click Frontend configuration. Use the default values except for the following:

Protocol: HTTPS

    IP address: click Create IP address

        Enter a Name to associate with your new static IP address.

        Click Reserve to reserve the static IP address.

    Certificate: my-cert

When you’re finished entering frontend configuration values, click Done. The New Classic HTTP(S) load balancer panel reappears.
Under New Classic HTTP(S) load balancer, click Create. The Load balancing page appears and your new load balancer will be created in the list of load balancers.
After the Cloud Console finishes creating the new load balancer, click the name of the load balancer and note the external IP address under Details > Frontend. You will need it in the next step.

Restart your VMs

Klik Compute Engine > Instance groups page.
Click my-managed-instance-group.
On the top of the instance group details that appear, click Restart/Replace VMs.
On the Restart/replace VMs in my-managed-instance-group page that appears, set the following values:

    Operation: Restart
    Maximum unavailable instances: 3 instances out of 3 instances
    Minimum wait time: 0 s

click Restart VMs

Task 6: Set up IAP

Klik VPC network > Firewall rules.
Select the checkbox next to the following rules:

default-allow-internal

Click Delete and select delete again to confirm it.
Click Create firewall rule and set the following values:

    Name: allow-iap-traffic
    Targets: All instances in the network
    Source IPv4 ranges (press Enter after you paste each value in the box):
        130.211.0.0/22
        35.191.0.0/16
    Protocols and ports:
        Specified protocols and ports
        select tcp and enter 80, 78

click Create

Set up IAP

klik Security > Identity-Aware Proxy
Click Enable API.
If you haven’t configured your project’s OAuth consent screen, you’ll be prompted to do so:

a. Go to the OAuth consent screen and select External as User Type. Click Create.

b. Under Support email, select the email address you want to display as a public contact. The email address must belong to the currently logged in user account or to a Google Group of which the currently logged in user belongs.

c. Enter the Application name you want to display.

d. Enter the same email address in the Developer contact information.

e. Add any optional details you'd like.

f. Click Save and Continue three times and select Back to Dashboard.

GO TO THE IDENTITY-AWARE PROXY PAGE and select a project. Click Go to Identity-Aware Proxy.
Next to my-backend-service, toggle the on/off switch in the IAP column.
In the Turn on IAP window that appears, select the checkbox next to “I have read the configuration requirements and configured my Compute Engine resource according to documentation.”
Click Turn on.

Add principals to the access list

On the IAM & admin > Identity-Aware Proxy page, select the my-backend-service checkbox. Click Add Principal.
masukan info berikut :

    New Principals: Enter your qwiklabs account email here

    Role: IAP-secured Web App User

Klik save

Task 7: Test IAP

Klik Network Services > Load balancing page and select Frontends

hit external IP

curl -kvi https://Enter the ip from your load 
balancer here

Penutup

Sahabat Blog Learning & Doing demikianlah penjelasan mengenai Securing Compute Engine Applications and Resources using BeyondCorp Enterprise (BCE). Semoga Bermanfaat . Sampai ketemu lagi di postingan berikut nya.