GCP Identity Aware Proxy won't recognize my created Firewall Rule for allowing access to the ip range '35.235.240.0/20"

Question

I am trying to setup Identity Aware Proxy (IAP) for a particular vm on GCP and I have setup the firewall rule to allow access from the ip range of "35.235.240.0/20" but get the error as seen in the image below:

and but the firewall rule isn't being recognized by IAP, as seen below this rule has been added:

Also note that I am using the free GCP $300 account to set this up, so is there a restriction. So what am I missing?

Hi there. The rule is not correct. The rule IAP it is missing is requiered to connect IAP gateway and your VM. The idea of thar rule is that even if you restrict all port 22 traffic, your VM will still be reached by IAP so you can connect to your VM using GCP console. On the image you have share with us I do not see the rule. You have to allow everything from IAP Gateway. — Armando Cuevas, Jun 28 '20 at 20:36
Also, what is your use case for using IAP? To protect http traffic or ssh traffic ? — Armando Cuevas, Jun 28 '20 at 20:36
@armandocuevas it's the first rule in the image and it's ssh not http traffic! The rule is called 'allow-iap-access' in the image — George Udosen, Jun 28 '20 at 20:38
how do you try to connect to your VM? Via a shell with `ssh` command? Via a shell with `gcloud compute ssh` command? Via console? — guillaume blaquiere, Jun 29 '20 at 07:45
@guillaumeblaquiere I can't connect until the IAP is setup and I am using ssh! — George Udosen, Jun 29 '20 at 08:34

guillaume blaquiere · Accepted Answer · 2020-06-29T18:29:40.887

When you use IAP for the first time, there are misunderstandings

ssh command doesn't work alone. You need to create an IAP tunnel before, of course on the port 22 of the target instance
The easiest way is to use the gcloud command gcloud compute ssh <INSTANCE NAME> in your terminal
If you prefer a new browser windows, use the SSH button on the console

CAUTION

The 2 last solutions work as-is if your compute engine doesn't have public IP. In the other case:

Through the console, and the ssh button, you can't!
With the gcloud command, force gcloud to use the IAP tunnel by adding the --tunnel-through-iap param like this

gcloud compute ssh <INSTANCE NAME> --tunnel-through-iap

EDIT

On the IAP page, and on the ssh and http tab you can see a yellow warning sign because your firewall rule is not compliant.

Actually, IAP checks if the firewall rule for IAP allows ALL the tcp port. If not, you have a warning.

At the end, it's not a problem, if you only need to use IAP for the port 22 and 3389 (for example) you can only allows these port and the IAP tunnel will work only for these 2 ports. You will continue to have the warning, but don't care of it, it works on what you want!!

My issue is that the firewall rule isn't getting recognized by the IAP setup! — George Udosen, Jun 29 '20 at 10:27
@George, your rule is not correct. This answer is the correct one. — Armando Cuevas, Jun 29 '20 at 18:28
Then the gcp documentations are not in sync as one said 'create a rule for tcp protocol', and the other said for 'tcp:22' since I am using ssh. I will look at it. Thanks — George Udosen, Jul 01 '20 at 16:05

GCP Identity Aware Proxy won't recognize my created Firewall Rule for allowing access to the ip range '35.235.240.0/20"

1 Answers1

Linked