Snehasis Ghosh's Blog

Build and Secure Networks in Google Cloud: Challenge Lab Solved

Build and Secure Networks in Google Cloud: Challenge Lab Solved

Snehasis Ghosh's photo
Snehasis Ghosh
·

3 min read

Build and Secure Networks in Google Cloud: Challenge Lab

Task 1 : Check the firewall rules. Remove the overly permissive rules.

Screenshot at 2022-05-07 22-35-41.png

Solution :

Open Cloud Shell and type

gcloud compute firewall-rules delete open-access

Task 2 : Navigate to Compute Engine in the Cloud Console and identify the bastion host. The instance should be stopped. Start the instance.

Screenshot at 2022-05-07 22-35-50.png

Solution :

Type in Cloud Shell

gcloud compute instances start bastion --zone us-central1-b

Task 3 : The bastion host is the one machine authorized to receive external SSH traffic. Create a firewall rule that allows SSH (tcp/22) from the IAP service. The firewall rule must be enabled for the bastion host instance using a network tag of SSH IAP network tag .

Screenshot at 2022-05-07 22-36-02.png

Solution :

Type this in cloud shell

Important

Don't forget to replace {Your SSH IAP network tag} with your SSH IAP network tag you received in your the task section. 

gcloud compute firewall-rules create {Your SSH IAP network tag} --allow=tcp:22 --source-ranges 35.235.240.0/20 --target-tags {Your SSH IAP network tag} --network acme-vpc


gcloud compute instances add-tags bastion --tags={Your SSH IAP network tag} --zone=us-central1-b

Task 4 : The juice-shop server serves HTTP traffic. Create a firewall rule that allows traffic on HTTP (tcp/80) to any address. The firewall rule must be enabled for the juice-shop instance using a network tag of HTTP network tag .

Screenshot at 2022-05-07 22-36-17.png

Solution :

Type this in cloud shell

Important

Don't forget to replace {Your HTTP network tag} with your HTTP network tag you received in your the task section.

gcloud compute firewall-rules create {Your HTTP network tag} --allow=tcp:80 --source-ranges 0.0.0.0/0 --target-tags {Your HTTP network tag} --network acme-vpc


gcloud compute instances add-tags juice-shop --tags={Your HTTP network tag} --zone=us-central1-b

Task 5 : You need to connect to juice-shop from the bastion using SSH. Create a firewall rule that allows traffic on SSH (tcp/22) from acme-mgmt-subnet network address. The firewall rule must be enabled for the juice-shop instance using a network tag of SSH internal network tag .

Screenshot at 2022-05-07 22-36-37.png

Solution :

Type this in cloud shell

Important

Don't forget to replace {Your SSH internal network tag} with your SSH internal network tag you received in your the task section. 

gcloud compute firewall-rules create {Your SSH internal network tag} --allow=tcp:22 --source-ranges 192.168.10.0/24 --target-tags {Your SSH internal network tag} --network acme-vpc


gcloud compute instances add-tags juice-shop --tags={Your SSH internal network tag} --zone=us-central1-b

Task 6 :In the Compute Engine instances page, click the SSH button for the bastion host. Once connected, SSH to juice-shop.

Screenshot at 2022-05-07 22-36-51.png

Solution :

  • Goto Navigation Menu -> Compute Engines -> VM Instances
  • Copy Internal IP of juice-shop
  • Open the SSH of bastion
  • If you get error try cand click retry
  • and type this command in SSH of bastion
    ssh <internal-IP-of-juice-shop you copied>

Congratulations

You earned a new Skill Badge

Screenshot at 2022-05-07 22-37-07.png

google cloudGCP