I have several GCE instances all in the same project and same default network. I have designated one instance the "bastion" server, and want to block SSH from the internet to all instances except the bastion server, but allow the bastion server to SSH to my other instances.
So I modified the default-allow-ssh rule to only allow SSH to a target with the "jumphost" tag, and applied that tag to my bastion instance. This works, as I can SSH to my bastion server from the internet, but can no longer SSH to my other instances from the internet.
I then created a new restricted-allow-ssh rule that only allowed SSH access from my bastion instance to my other instances:
gcloud compute --project "<my project>" firewall-rules create "restricted-allow-ssh" --allow tcp:22 --description "Allow SSH only from bastion server" --network "default" --source-tags "jumphost" --target-tags "restricted-ssh"
I then applied the "restricted-ssh" tag to all my instances except the bastion server.
This seemed to work insofar as I cannot telnet from the internet to port 22 on my instances tagged "restricted-ssh", but I can telnet to them on port 22 from my bastion server.
However when I try gcloud compute ssh to any instance from my bastion server, it just hangs and eventually I get a "Connection timed out" error.
Interestingly, using gcloud with the short name of my instance (e.g. "dev") seems to resolve to the public ip address from my bastion server. But nslookup resolves it to the internal network address where port 22 is open. It appears that "gcloud compute ssh" from my bastion host tries to go through the external ip address but is denied because the port is closed.
Any suggestion of a simple fix or simple alternative to achieving the same outcome?
Best Answer
Turns out with my poor man's bastion solution I can use ssh -I ~/.ssh/google_compute_engine from my jumphost. No need for gcloud compute ssh.