0

I developed an internal portal that is relevant to the engineering team. I restricted access to the portal by implementing Sign in With Google and as expected it is only accessible to our organization email-ids only. Now, I want to host the portal and we use Google Cloud Platform. I want to further restrict access to the portal within the organization.

What are the possible solutions to host the portal internally using Google Cloud Platform? If I host the portal and gave access to public, what could be the possible security implications?

Anesh
  • 192
  • 2
  • 11
  • Can you add details about the architecture of the portal? A wild guess would be, if it's micro-service based portal, deploy it on GKE . Another option for frontend, deploy on App Engine – nischay goyal May 25 '20 at 09:19
  • @nischaygoyal It is just a ReactJS application which makes XHR requests to read the JSON files stored in GCS bucket and display the data on the webpage – Anesh May 25 '20 at 09:40
  • If it’s a reactJS Application, in the end it’s static assets and I would suggest host it on the GCS and give access only to spcific group of Users which is in your company – nischay goyal May 25 '20 at 09:41
  • If I host the portal as you suggested, Can anyone who has the URL open the page? – Anesh May 25 '20 at 09:45
  • You can give access to specific set of groups and they should be able to access the application – nischay goyal May 25 '20 at 09:47
  • Sorry, what I meant is that how a browser/client knows that the user is authorized to access the portal? My goal is to not even open the portal URL to outside people. – Anesh May 25 '20 at 09:49
  • If I understood correctly, your storage bucket also has to confidential. – nischay goyal May 25 '20 at 09:52
  • Yeah. Suppose, if my portal is hosted at reports.example.com, then someone(outside of the organization) who has this link should get 404 or 403 – Anesh May 25 '20 at 09:58
  • Something like it should be accessible within the VPN. I want to know the other possible solutions apart from VPN. – Anesh May 25 '20 at 10:00
  • In this case, host your website on App-Engine which will expose a Public-Facing Url and then implement a Firewall rule - `denyAll` which ensures nobody would be able to access the website and then implement another firewall rule which allows a specific range of IPs (Your company's IP range) – nischay goyal May 25 '20 at 10:15
  • Ours is a remote-first culture company and our engineering team spread across the U.S and European countries. Sometimes many of us, go to co-working spaces and work there. – Anesh May 25 '20 at 10:22
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/214567/discussion-between-anesh-and-nischay-goyal). – Anesh May 25 '20 at 10:23

1 Answers1

2

If I understand well your concept, you are running a Web portal to authenticate your organization users to access your Frontend application, which retrieves information on a GCS bucket to be displayed on this Web page. In this situation, the Identity-Aware Proxy (docs) that could fit your needs. The IAP lets you manage access to applications running in the App Engine standard environment, App Engine flexible environment, Compute Engine, and GKE. IAP establishes a central authorization layer for applications accessed by HTTPS, so you can adopt an application-level access control model instead of using network-level firewalls or VPNs. When you turn on IAP, you must also use signed headers or the App Engine standard environment Users API to secure your app. In this link you can see a quick example of how you can control access to your web apps and VMs in GCP using the IAP feature.

W.Andre
  • 101
  • 4