Launch the lab here
You need to configure this simple environment securely. Your first challenge is to set up appropriate firewall rules and virtual machine tags. You also need to ensure that SSH is only available to the bastion via IAP.
For the firewall rules, make sure:
- The bastion host does not have a public IP address.
- You can only SSH to the bastion and only via IAP.
- You can only SSH to juice-shop via the bastion.
- Only HTTP is open to the world for
juice-shop.
- Go to VPC network > Firewall > will see open-access
- Use the following command from the cloud console:
gcloud compute firewall-rules delete open-access- Go to Compute Engine > VM Instances > Select bastion > click on Start
gcloud compute firewall-rules create ssh-ingress --allow=tcp:22 --source-ranges 35.235.240.0/20 --target-tags ssh-ingress --network acme-vpc
gcloud compute instances add-tags bastion --tags=ssh-ingress --zone=us-central1-bgcloud compute firewall-rules create http-ingress --allow=tcp:80 --source-ranges 0.0.0.0/0 --target-tags http-ingress --network acme-vpc
gcloud compute instances add-tags juice-shop --tags=http-ingress --zone=us-central1-bTask 5: You need to connect to juice-shop from the bastion using SSH. Create a firewall rule that allows traffic on SSH (tcp/22) from acme-mgmt-subnet network address. The firewall rule should be enabled on juice-shop via a network tag
- Run the following:
gcloud compute firewall-rules create internal-ssh-ingress --allow=tcp:22 --source-ranges 192.168.10.0/24 --target-tags internal-ssh-ingress --network acme-vpc
gcloud compute instances add-tags juice-shop --tags=internal-ssh-ingress --zone=us-central1-bTask 6: In the Compute Engine instances page, click the SSH button for the bastion host. Once connected, SSH to juice-shop
- Go to Compute Engine > VM instances > SSH to bastion host
- Run the following:
- Look at the juice-shop instance and copy its Internal IP
- Replace
[internal IP of the juice-shop]withcopied IP
ssh [internal IP of the juice-shop]