Google Professional Cloud Network Engineer – Implementing Network Security
- 5.1 Configuring Identity and Access Management (IAM)
Section Five implementing Network Security network security is very important in cloud environment, especially public cloud environment, because you are or the enterprises are uploading their data or managing their data inside the public environment. And it’s not only one particular company hosting their data in one data center, there are many multiple companies hosting their data in those multiple environment or data centers. So security is very important and especially network security is really most important for us to consider when we are trying to or planning to move into the public cloud environment. Looking at the objectives for this particular section, we will look at configuring identity and access management, which is IAM, configuring cloud armored policies and we are going to get into details of how do you do that. Configuring thirdparty device insertion into VPC using multinick.
I’m not going to get into details too much, but I’m going to give you high level overview about how you do that. Managing SSH keys, and this is very gentle topic, not related to network as a security, but definitely SSH is a network entity. But how do you manage, how do you use SSH keys? That’s what we are going to look at. If you look at the wheel for your Google Cloud platform, in its core there is a VPC. And when you say there is a VPC, it is in itself it’s a firewall, right? Whatever resources which you create in Google cloud platform is associated to one particular VPC. VPC has got the firewalls, IAM policies, private access to Google services, bastion, woods and routers and gateways and all that, right? So all of that is the component of VPC. The second comes cloud interconnect. And in cloud interconnect you have multiple options which you can use it, you can go ahead and connect your on premises with Google Cloud platform, but at the same time you can encrypt the traffic which goes out from your data center to Google Cloud platform or vice versa.
The next layer comes in isolation, auditing and compliance. And that is where you go ahead and put forward different measures like logging, monitoring, compliances, third party virtual appliances to protect your data or to monitor or do audit about your data, who is accessing from which location the data is being accessed or applications are being accessed. The next layer is Google global load balancer and that is the outermost layer you can think of. It is located in Age network and even you can protect load balancer or the external network in Google’s premises. And we are going to see how cloud armor actually help us to do that. This is overall as a wheel, which you have it as a security measures. So while looking at the firewalls or how you can actually block the traffic, how you can take a measure to restrict the traffic. We already saw the firewalls, we saw the traditional firewall and we already saw the firewall. How you can configure in Gracie Grace traffic.
You can allow and deny the traffic in both the directions and you can configure that in each and every level and that is very important. So you can cover that using the firewall and Firewall is one of the best security measure which you can do it to protect the resources, some of the properties of firewalls. It’s both the direction you can have ingress or egress firewall rules created. It is ted, full in nature and you can do a flexible grouping and that is you can use network tags, service accounts, networks or instances to configure the firewall rules. This is one of the slide which I took it from Google itself and what it says is you can restrict the communication using routes and firewall rules and you can allow only the traffic which is permitted. Just don’t be open everything to communicate with each other, just make sure that what are the services which are required for you to use from those instances? How many instances should be connected to your VMs or App engine or any other database services? Right, you can go ahead and put forward many measures and apply firewall rules in fine grain level. Another topic here if you look at the security measure is to enable the VPC logs and VPC logs plus firewall logs.
Those are like very it is going to take considerable amount of space because it is going to create a log entry for each and every network connections. So keep that in mind. What VPC flow logs or firewall logs provides is real time visibility into network availability and performance, security analytics, network forensics, who is connecting, which part it is connecting, which data is being accessed by which clients. You can have all those configured. So once you have the data or the logs, you can actually put that in a BigQuery and you can run analytics on top of it. You can have traffic planning based on the flow logs. Example here for the flow log is it can track the Vmtvm communication, VM to interconnect communication, VM to internet communication and traffic between VM and Google services in productions.
So flow log definitely help you to understand the network insight and firewall logs on top of VPC flow log definitely help you who is trying to access some data or the instances. If you look at the whole Google Cloud Platform network or the communication in between, you can think of it as like TLS everywhere. So you do not need to worry about whether the data is getting encrypted or not, right? So it is TLS like everywhere. We are going to see how you can protect the outside connection using Cloud Armor. And again, this is from Google Cloud platform. I just got lazy and not having created anything else as a slide, but I’m going to use this slide to explain Cloud Armor. That’s it guys. As an introduction we are going to get into configuring identity and access management in Google Cloud platform in next lecture. Thank you.
- Cloud IAM
Cloud IAM fine grained access controller and visibility for centrally managed cloud resources. So in a high level you can control the access permissions of your cloud resources. That’s the cloud. I am identity and access management in the long form cloud. Im is context aware, which means it understands the context wherein the access permissions are provided. It has got a built in audit trail, so your audit logs are streamed and you can use it to do any analysis purpose. It is very simple to configure and we are going to see that in demo and you can do resource control, granular resource control for enterprise identity. Before I’m getting into too much of theory, let me go back and get into the console here. I’m in here in console. I can actually go here, identity and access management and admin. And I can click in here so I can go ahead and add a member here.
I can add the new member and this is your actual user who wants to have access to your database resources. Let me go ahead and add my Google ID here and give permission. I can give either basic permissions, like premature permissions, like editor, owner or viewer as a project role, or I can give specific role like billing, billing, project manager, or I can give the logging administrator or monitoring person right, or I can give storage admin and like that. Let me just go ahead and give the high level as an editor role for this particular project. If I have to add another role, I can go ahead and do add another role here. But I’m fine with that right now. I’ll just do save. So I have added thanaji as a editor role here. If I go here, I should be able to see, I think I should have got the notification so I can go ahead and search the project. What was the project name? GCP project.
So I can see I can switch to that particular GCP project and this is this project. Okay, so that’s how you can provide access to your project or any particular resources to any user. Okay, I can go ahead and revoke that access. I’ll just go ahead and delete so that particular user is gone. If I go here again and if I want to launch something and try to launch, it will say you do not have sufficient permission to view this particular page. Okay, so this is how Im works. You can give permissions or add users. The second one is you can go ahead and either use custom roles or you can create your own custom roles and that’s the roles. You can go here and check the service accounts. It’s a different topic altogether, but we are going to see this. If you want to provide access to a particular application and not the user, that’s where you create a service account. So you can so this is roles section. You can go ahead and create a different role. You can see all the roles which are available.
It is pretty different role. If you click on any of the role like let me go here and say App Engine admin, right? If you click here, you will get all these permissions. So if you assign App Engine admin to someone, then that person will get all these permissions assigned, okay? You can use either existing roles which are predefined for you, or you can go ahead and create a custom role and you can mix and match all the permissions or the permissions from the existing role. So this is a custom role I can say I want. So let me create this role for database administrator, I can add permissions based on the existing role like Cloud SQL. So I have multiple things as a Cloud SQL here, so I can select all. And so those are the roles which I have it and I have these permissions. I can say add.
Once I have added all the permissions, now I can just go ahead and hit Create button. So database administrator role is created. I can go ahead and assign database administrator role here to any member. So I can just go ahead and add member. I’ll just try to add my name again. And role is database administrator created today. So with my role, I will be able to create Cloud SQL and manage Cloud SQL and cloud spanner. So that’s all about Cloud IAM and the rules. You can create custom roles. You can go ahead and click on edit logs here, who’s actually creating creating the roles. You can enable auditing on those. Let me go back to theory again here. So what Cloud im provides, it enable you to grant access to the cloud resources at fine grained level, well beyond the project level access. Cloud IAM provides a simple consistent access control interface to all cloud platform services. You can have multiple level of access permissions. And we just saw you can mix and match the rules and its permissions, individual object and instance to an organization level.
So in nutshell, what it does, it actually provides, it defines who should get what access like admin, Google account or service account, or cloud identity, all of those. So that’s the user for the cloud I am and can do what like read, write and execute we just saw you can give say admin permission to someone, right? You can create that particular role and you can give it and what resources it’s like cloud SQL, cloud storage, app engine or virtual machine like that. So the terminologies which Cloud im uses is the resource. Resource means the end resource on which you define the permissions. The second one is the permissions like create database, create instance and like that. And the last one is the rules. And the rules are the collection of you can think of permissions together. There are predefined system roles as well as you can define your own roles. So in roles you have primitive roles. We saw that you can give just project Admin, editor or viewer role or you can have fine grained user defined roles. So we saw predefined roles and we saw custom roles as well.
We created one custom role. So users, who are the users? For cloud IAM, it could be anything like I just gave my Google account the Najimuslia@gmail. com, or it could be G Suite Admin, or it could be Google Groups. If you assign a role to Google Groups, then you will be able to assign that particular permissions or role or manage the control to the whole group. And if at all say group contains 100 users, then 100 users will get access to those resources. GCP does not create user or manage users. This is done using G suite admin. So typically in Google Cloud platform we do not manage an identity, we just use the identity whether it is part of G Suite Admin or any Google Account or Google Groups. But GCP does not actually do any user administrator. So you cannot go here and say add new user here. Everything is like existing user, you are just adding that as a member.
So we are going to get into service account in the next lecture. But service account is typically used by an application to application communication or you want to provide or restrict one particular application doing certain specific things and not everything right as in like administrator, we are going to see service account in the next lecture. Typically project roles, that what we have. I have tried to assign editor role to my ID, but in the project role you have Weaver owner, you can manage access control for the project and all resources including setup of billing. And then you can have an editor role as well. Product specific roles. There are product specific rules like for Cloud SQL.
Cloud SQL has different rules which are created right cloud Admin or Reader or the Viewer cloud SQL Reader. And then there are permissions attached to those rules. And then you have organization rule like owner, resource Manager, organization Admin. And this is a part of G suite consideration and not a part of Google Cloud. Google Cloud platform, just another representation of primitive roles. So you have Owner, editor and viewer roles and you can have billing administrator as a project level primitive roles. So what is the difference between editor and owner? Right? Editor has Weaver all permissions and permissions for actions that modify a state of particular resource. But owner can actually do too many things and it can manage the access permissions, it can create a rules, it can give permissions to others and you and it can control, set up and control the billing account and control the project or the billing for a particular project.
So there are predefined rules which we already saw, which are already there you can just go ahead and explore it. There would be some questions based on if you want to provide access to a particular user like GCE network administrator access, then do you need to create your own access permission policies? Or you can actually use it from existing topic or how you can create whether I Am provides you or allows you to create custom roles or you can use just existing roles out of platform. So predefined roles roles has got the permissions included into it and there are multiple combined rules also which you should be least bothered about it because if at all say one particular rule has got two or three different permissions. So you can combine two different roles together to create a new role, or you can combine multiple permissions together, you can add a permissions to an existing role as an additional permission, or you can just remove one particular permission out of the role.
You can do all of that. And we have seen right when I was creating a custom role, you can mix and match all those possibilities while creating the custom roles. So this is just a high level flow. It starts from project to a service to billing, enable APIs, create service account and set up IAM policies. But this is the typical flow. When and if at all you are planning to launch a gae app engine instance, you need to enable Google enable billing for your project, you need to enable API, you need to create a service account to have permissions so that app engine can do certain things like access database services and all that. And you should be able to set IAM policies. Who should have access to this gae and who shouldn’t have? Typically this is the flow. It is top to bottom. And Google cloud platform actually limits itself to project and resources. All above the organization setup is a part of G suite and this is the heroici. We saw this already. But this is just a representation how IAM rule works. If at all the company has got an organization has got an im owner, right? And it has got multiple departments or organization has got a folder admin or the department admin you can think of in real sense, then he should have access to create, project and manage its resources.
But in GCP if you look at it only starts with the project and onwards, you can just link your organization to your GCP project. But beyond that you can’t actually manage this folder structure organization structure. In Google cloud platform like the rules you have policies which are defined so all the resources inherits policies from its parent. Policies are union of a parent and the resource itself. So if at all say parent is less restrictive which overrides more restrictive policy by the child. And this is in G suite in nutshell, I just gave one example here for the policies I am policies here it is different organization structure. There are organization administrator, there are project creator, there are instant administrator, there are some network specific people. Like Robert is only look after network. Robert is also looked after the security admin or security part of a project. James can do disk administrator. James can be a project manager or instant administrator as well. So you can mix and match all these different rules. You can create a specific role for your organization need and you can manage it everything in your IAM. So what are best practices? Use groups.
If there are multiple number of employees which are available and you’re using it and they want to have access to Google cloud platform resources, use groups and that way you can completely take out the permission for a particular group or you can give permissions to a particular group. That way you don’t have to manage individual permissions for say tens of people, right? Enable audit on policy changes and this is very important and we are going to see that audit logs. But this is very important when someone is providing access to someone else, right, if he has permission, then you need to make sure that that is informed or that is tracked, who has given policy to which user or the service account. Follow the principle of least privilege. And this is very important because if there are some group of people who does not need to have, say, administrator access and just for sake of simplicity, you have provided access to the whole group as administrator access on as an example, cloud SQL.
They can accidentally or intentionally can go ahead and delete some data and which you don’t know, right? Which you can’t control. That is one aspect, but at the same time if you do not want to expose your customer sensitive information, you should not give even the read permissions to the group of people who should not have the access to say cloud SQL, if at all you’re storing the data in cloud SQL. So follow the principle of least privileges. Don’t just simplify it for the sake of simplifying your access permissions. Control what service account can do.
And this is again very important. Sometimes we tend to give access to a user account and user account is again used by applications to do all this activity inside the cloud platform. But Google has very nice thing which is like service account and using service account. This is not actually service account of a person, this is system level access. And you can create one service account and you can assign that particular service account to a particular instance or the resource and then the access permissions are maintained or managed using that particular service account. Auditing, this is another topic and we are going to see that in the next lecture after that. But you can have auditing logs also incorporated or enabled, so that whenever there are policy changes, user getting added or user getting access to the cloud resources.
You can trigger a Pub sub notification or you can have alerting policies defined in strategic logging. Okay. If at all you create a Pub sub notification, you can have cloud function responding or sending just a mail to network administrator that the access has been provided to so and so users. Again, you can take all that data into BigQuery and you can do analysis on those access logs as well. So one is Admin log and the second one is data access log. And this is where you will have by default this is not enabled. But if at all you want to collect the detectives log, it’s a huge in size, you need to have some tools and BigQuery is what it is suggested by Google. And you can define a sync to BigQuery and you can run analytics based on the data in the BigQuery. That’s it guys for cloud IAM, if you have any questions on cloud IAM, let me know in the next section. We are going to get into service account. Thank you.
- 5.2 Configuring Cloud Armor policies.
Configuring cloud armor policies, the network security as raised layer or load balancer layer. So how it does right? We have seen cloud the firewall rules inside Google cloud platform. That’s where you can protect the network, you can protect subnetwork, you can protect virtual machine instances. Ultimately all everything is getting applied at virtual machine instances, right? That is there. But and those are all like backend services if at all, you are not exposing it to outside directly how you can actually protect the traffic in the age itself, right? Or pop location itself. And that is for your Google load balancer. Consider a case where in the website my app is being accessed by the users around the globe and you want to restrict some of the users which are either from Russia or from say India or from us. You can actually do that in using Cloud armor policies. So what it does is you can just go ahead and configure cloud armor policy which will allow traffic from a specific client and it can deny traffic from specific client or a group of or the side arranged, right? And that is what the use of Cloud armor.
Let’s go ahead and get into the details here. You can go to network security and Cloud armor, you can create policy, you can say my first cloud armor policy. What you can do, you can actually deny or allow. It’s the same like firewall the way you configure it. If you deny, you can actually give the status, whether it is four three four or five two because that’s the status which is not coming in from the back end. If you click on allow, then there is the status, whatever it is coming from the backend that will be handed over back. So I’m just clicking on deny and I’m saying just either I can see forbidden means not allowed for you or I can say not found just to say that there is nothing like that exist. I can actually just fake it, right? Next step, I can actually add more rules and I can just say what is that particular rule is? I’m not putting anything, I’m just doing next step apply policies through the target. So I do not have any http load balancer here, but if you have load balancer or target instances or something you can actually take select that and just click done and create a policy. And this policy will be applied to your target. More importantly here you can have multiple rules inside one particular policy.
But this is not the case with the firewall rules, right? Firewall rule either can have allow or deny or one particular target and sources, right? Depends on what type of that particular firewall rule is. But in Cloud armor you can have multiple rules defined inside one particular policy and you can apply that to your back end instances. Okay? So that’s all about cloud armor. So just high level thoughts around it. It’s layer three to layer seven. Protect because it is not a network layer directly. It is network serving, offering service, offering predefined rule, crosssite scripting and SQL injection that is already there. You don’t have to do it. We already saw how to configure it. It is IP based control you can actually think of. You can provide the site arrange and you can allow or deny. I can click here, I can go it says all IPS. I can say edit and let me go ahead and create new policy. Second policy.
Okay, my second policy. Next, I can add condition like I want to restrict the communication from the Cider range. I want to say deny forbidden and I can actually say configure as a preview mode only and I can define the priority. Done. Create policy. So you have this particular policy using which you can either allow or deny. So we saw how to blacklist in the similar range. You can go ahead and whitelist the way we blacklisted some of these rules. You can actually go ahead and whitelist as well. So if I went ahead and created the policy whitelist third policy, it says allow and next step, I want to add a rule which says web traffic and I want to allow it from 220 all the ranges.
Okay, I won’t say allow traffic priority 200. Done. Create policy. Got it right. So you can you can have different type of policies. Blacklist and whitelist. That’s the cloud armor, guys. If you have any questions on cloud armor, let me know. Otherwise you can move to the next lecture. Thank you.
- 5.3 Configuring third-party device insertion into VPC using multi-nic (NGFW)
Configuring third party device insertion into VPC using multipack interface. Okay? The virtual machines on Google Cloud platform supports multiple Nick interfaces. I’m just giving you an example how you can insert it. I’m not going to get into details of actually launching it, but as an example, Barra cod of Firewalls, right? You can launch the instance and let me go here. Resources deploy pre built solutions. And this is Barracuda Firewall as an example, right? You can take this and you can launch it. This contains this is $37 per month, and you can bring your own licenses so you can inject all these kind of third party devices into Google Cloud platform because your virtual machine supports multiple nix. And using like as an example here, you can use Barracuda Firewall.
Probably you are using it on your on premises. That’s how you want to use it in the Google Cloud platform as well. You can do that. And that’s it, guys. I do not have any other example to explain it to you. As a thirdparty device insertion, there are multiple definitely you can go and explore if at all you want to do it, but that is the concept in a nutshell, okay? If you have any questions on this, you can let me know. Otherwise, you can move to the next lecture. Thank you.
- 5.4 Managing keys for SSH access
Managing keys for SSH access let’s go ahead and get into details of SSH keys. This is not a new topic anyways, majority of us knows what is SSH keys, right? So SSH key is used to connect VM instances for GCE or any service that has got SSH access to connect the instance, right? So that is the SSH key computing engine automatically manages the key for SSH but you can manage the key by yourself. As advanced users you will need to manage it very carefully because losing that particular key may take away your access to that particular instance.
So keep that in mind. SSH key has public key as well as private key. Private key is your own key and public key is the configured onto your instances and using private key you are you can actually go ahead and connect to your compute engine multiple methods. You can have it to manage SSH key metadata, you can use console, you can use Gcloud command, you can have APIs to manage it programmatically if you want to do that. Steps to add user typically if you look at how you can add a user for virtual machine, right? You can create a new SSH key if at all user is not an existing user onto Google cloud platform, right? If the user has user order there in the Google cloud platform and has the SSH key, you just go ahead and add that particular key as authorized key so that the user can access the instance.
You can go ahead and do a format add, edit, remove and apply expiration time for the Sh key and that is you can think of additional thing for the users if at all say user is no longer working with your company or in the cloud environment or in your department you can just go ahead and remove it. You can apply some expiration time if at all he is due to remove say due to go on Friday or something like that, right? So all of these is you can think of managing your SSH keys into Google cloud platform. How you apply the keys, you can use public key metadata to add and remove the users into Google cloud platform. So adding and removing the project wide keys, you can actually do that together. Let me go back here and as I said, you can go to compute metadata and SSH key can go to compute metadata and in SSH keys. So these are the SSH keys which you have it anyway, I’m just going to remove it so I can just show it to you. You can edit those, I can just say delete. Delete, right? Delete.
Or you can add another additional keys if you want and you can even give the name for that particular key. Okay? So you can think of the project wide, you can manage it, you can use Gcloud command, project info and describe you will be able to see it information as a metadata you can actually see the SSH keys username colon and the existing key value for the username. Okay? Alternatively, you can use gcloud compute project info, add metadata file from metadata file and SSH key and this is the path of your SSH key. I’m not going to give you a demo.
It is very basic thing to handle. If I go back on an instance level you can say create new instance security and this is where you can actually block project wide SSH key if at all you want to. You want to use your own key for that particular instance because it is handling sensitive data. You can have your own keys or you can attach that particular key here. Okay? And that’s it guys. As a SSH key it is very basic topic but you need to have understanding on how you can manage the SSH key. Using Gcloud command you can attach the SSH keys, you can view the SSH keys and you can even using the console you can add and remove the SSH keys. That’s it for this particular section guys. If you have any questions, let me know. Otherwise you can move to the next lecture. Thank you.