3

I have an application that runs through GCP's Compute Engine on group instances.

I have multiple computers on different private networks around the country and I need them to connect to my application through the VPC. They can already communicate through the public IP, but that's not the goal.

I've looked at the VPN connectivity options that GCP offers; I either don't fully understand them or it's not what I want.

Sean Mickey
  • 7,618
  • 2
  • 32
  • 58
Oliver J
  • 51
  • 4
  • 1
    Is it possible to explain what is your end goal here? I assume you want to connect to instances without external IP address. Have you looked at GCP documentation on [Connecting to instances without external IP addresses](https://cloud.google.com/solutions/connecting-securely#connecting_to_instances_without_external_ip_addresses) Once we know your goal, we can provide the specific answer. – GagandeepT Apr 28 '20 at 15:16
  • I'm assuming you have Compute Engines attached to a VPC but have no public IP addresses. You have workstations/servers on-premises and you want to be able to form TCP connections to the GCP compute engines. It sounds like VPN is exactly what you want to use. – Kolban Apr 28 '20 at 16:38
  • You maybe need a bastion host, a public VM which make the bridge between public IP and private VPC. Be careful at the authentication process on this bastion host. – guillaume blaquiere Apr 28 '20 at 18:23
  • The end goal is to have the computers that are on the private network connect to the application with HTTP and not HTTPS but be encrypted. I do have a external public IP address that the computers can connect to. They aren't workstations, they're chrome-players, they have chrome running the application. So a bastion host would host a VPN between my networks ? – Oliver J Apr 30 '20 at 14:43

2 Answers2

1

To me it seems like you need site to site VPN, which is called Cloud VPN in GCP. Cloud VPN would connect your different private networks around the country to GCP it would look something like this enter image description here

Seems like you have already explored the option, did you encountered any issue? I believe it should be perfect solution for this scenario . With Site to site VPN you will be able to SSH to VPN using internal IP and VPN will provide encryption, which I believe is one of your main requirement.

userX
  • 93
  • 5
  • From the [VPN doc](https://cloud.google.com/vpn/docs/concepts/overview) "Cloud VPN securely connects your peer network to your Virtual Private Cloud (VPC) network through an IPsec VPN connection." After looking up the GCP definition of peer Peer VPN gateway "A gateway that is connected to a Cloud VPN gateway. A peer VPN gateway can be one of the following: * Another Cloud VPN gateway * A VPN gateway hosted by another cloud provider such as AWS or Azure * An on-premises VPN device or VPN service" A peer in my case is a computer behind a private network – Oliver J May 11 '20 at 14:35
  • You may want to configure your computer as a VPN gateway. There are multiple OpenSource VPN solutions available to achieve it, here is the example on [How to set up a VPN between strongSwan and Cloud VPN](https://cloud.google.com/community/tutorials/using-cloud-vpn-with-strongswan) – GagandeepT May 11 '20 at 21:51
0

As per your scenario, you can use the following:

  • You can use a Bastion host, if you need access to a single service/port. In order to reach your target private instance, you login to the bastion host first and then to target vm using a ssh forwarding. Due to this they are also called jump servers.

How to connect through a bastion host?

How to connect over a VPN connection?

GagandeepT
  • 260
  • 1
  • 10
  • I don't know if a bastion host is going to work. I require my private computers to communicate with HTTP to my VPC for the purpose of loading a web page. I do require to be able to connect to my private computers with SSH for maintenance purposes. – Oliver J May 07 '20 at 13:46