bastion | 🔒Secure Bastion implemented as Docker Container running Alpine Linux with Google Authenticator & DU | Continuous Deployment library

There is likely no user on the remote system called 'username'. Make sure both systems have the same username and public key.

When using SSH tunnel for accessing Neptune using localhost, one need to explicitly pass Neptune endpoint as host header for signing the request. Consider below example for awscurl:

The warning means that the service account has permissions that have not been used. The message does not mean that the "service account" has not been used.

Tip: A Bastion Host should not have any permissions except for logging (Stackdriver Logging and Stackdriver Monitoring).

As @JohnHanley mentioned, you will need to write code or scripts to launch commands on VMs dynamically because GCP doesn't have the type of service you require.

You may want to consider Cloud Identity-Aware Proxy (IAP) as it can be used for building your solution:

IAP helps to protect SSH access to your VMs without needing to provide your VMs with public IP addresses, and without having to set up bastion hosts.

For instance, you can check the enable IAP on Compute Engine guide.

You can also create a feature request for Google to consider implementing this solution.

There is two to three things wrong in your playbook.

1. Do not use a debug and register if you want to register a variable, use the appropriate set_fact module

First, your var.alarm_actions is already a list, so adding brackets around it like [var.alarm_actions] is going to create a list of lists, which is going to cause errors. You just need to pass it directly to the resource like:

I've never heard of a security group failing, so if you properly configure your security group with a restricted list of IP addresses/ports, you should be secure.

BUT

In a typical cloud-deployed application, you do not have or want strictly-controlled access. Instead, the typical cloud-deployed application is a web-app that exposes port 80 to the world.

And once you expose any port to the world, your security is entirely dependent on what is listening to that port. Do you have a vulnerability in your web-server? You've now given your attacker the ability to access resources inside your network. If your server has AWS access keys, then the attacker has them as well.

The goal of putting your servers in a private subnet, with a load balancer in front of them, is to reduce your attack surface. It's presumably less likely that attackers will be able to find an exploit in an ALB (versus Apache, nginx, or whatever you're using), and presumably more likely that AWS will be able to mitigate any such exploit faster than you can (because they don't need to wait for patches to become available from an external maintainer).

Of course, the code you wrote could have an exploit that's triggered from a standard HTTP(S) request. However, even in this case, you can reduce blast radius by controlling what your application can access. An instance with a public IP can access anything on the Internet unless you strictly control the egress rules in its security group. In a private subnet, it can only access stuff within the VPC.

So, ultimately, it's a matter of simplicity: yes, you can craft a secure environment where every host is on the Internet. That was, in fact, the way that AWS worked prior to the introduction of VPCs. But it's easier to rely on the VPC to provide a base level of security (just like, in non-cloud deployments, you rely on the corporate firewall to provide a base level of security).

The default QEMU networking type, which is what you're using, is "user-mode" networking. The IP address the guest VM sees in this setup is not visible outside the VM (it's a little bit like the VM being behind a NAT router). So while the guest can connect outwards, you cannot connect in to the guest unless you configure port forwarding on your QEMU command line. (The QEMU wiki page on networking includes an example of the syntax for this for an SSH port.)

If you need the guest to have an IP address that is publicly visible to the rest of the world (including to the host machine) you need to use a different network backend, like "tap"; that's a lot more complicated to set up, though.

Answering the part of the question:

How to change the existing GKE cluster to GKE private cluster?

GKE setting: Private cluster is immutable. This setting can only be set during the GKE cluster provisioning.

To create your cluster as a private one you can either:

• Create a new GKE private cluster.
• Duplicate existing cluster and set it to private:
  • This setting is available in GCP Cloud Console -> Kubernetes Engine -> CLUSTER-NAME -> Duplicate
  • This setting will clone the configuration of your infrastructure of your previous cluster but not the workload (Pods, Deployments, etc.)

Will I be able to connect to the Kubectl API from internet based on firewall rules or should I have a bastion host?

Yes, you could but it will heavily depend on the configuration that you've chosen during the GKE cluster creation process.

As for ability to connect to your GKE private cluster, there is a dedicated documentation about it:

• Cloud.google.com: Kubernetes Engine: Docs: How to: Private clusters

As for how you can create a private cluster with Terraform, there is the dedicated site with configuration options specific to GKE. There are also parameters responsible for provisioning a private cluster:

• Registry.terraform.io: Providers: Hashicorp: Google: Latest: Docs: Resources: Container cluster

As for a basic example of creating a private GKE cluster with Terraform:

• main.tf