Overview

In this lab, you secure Compute Engine workloads using BeyondCorp Enterprise’s Identity-Aware Proxy (IAP) to restrict traffic based on identity.

IAP is a feature of BeyondCorp Enterprise, Google Cloud's zero-trust solution that enables an organization's workforce to access web applications securely from anywhere, without the need for VPN and without fear of malware, phishing, and data loss.

This lab provisions a web-based integrated development environment (IDE) that you will restrict access to by enabling zero-trust configuration.

Objectives

In this lab, you learn how to perform the following tasks:

• Configure OAuth Consent.
• Set up OAuth access credentials.
• Set up IAP access for the deployed application.
• Use IAP to restrict access to the application.

Setup and requirements

Before you click the Start Lab button

Note: Read these instructions.

Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.

This Qwiklabs hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.

What you need

To complete this lab, you need:

• Access to a standard internet browser (Chrome browser recommended).
• Time to complete the lab.

Note: If you already have your own personal Google Cloud account or project, do not use it for this lab. Note: If you are using a Pixelbook, open an Incognito window to run this lab.

How to start your lab and sign in to the Console

1. Click the Start Lab button. If you need to pay for the lab, a pop-up opens for you to select your payment method. On the left is a panel populated with the temporary credentials that you must use for this lab.

   

2. Copy the username, and then click Open Google Console. The lab spins up resources, and then opens another tab that shows the Choose an account page.

   Note: Open the tabs in separate windows, side-by-side.

3. On the Choose an account page, click Use Another Account. The Sign in page opens.

   

4. Paste the username that you copied from the Connection Details panel. Then copy and paste the password.

Note: You must use the credentials from the Connection Details panel. Do not use your Google Cloud Skills Boost credentials. If you have your own Google Cloud account, do not use it for this lab (avoids incurring charges).

5. Click through the subsequent pages:

• Accept the terms and conditions.
• Do not add recovery options or two-factor authentication (because this is a temporary account).
• Do not sign up for free trials.

After a few moments, the Cloud console opens in this tab.

Note: You can view the menu with a list of Google Cloud Products and Services by clicking the Navigation menu at the top-left.

Activate Google Cloud Shell

Google Cloud Shell is a virtual machine that is loaded with development tools. It offers a persistent 5GB home directory and runs on the Google Cloud.

Google Cloud Shell provides command-line access to your Google Cloud resources.

1. In Cloud console, on the top right toolbar, click the Open Cloud Shell button.

   

2. Click Continue.

It takes a few moments to provision and connect to the environment. When you are connected, you are already authenticated, and the project is set to your PROJECT_ID. For example:

gcloud is the command-line tool for Google Cloud. It comes pre-installed on Cloud Shell and supports tab-completion.

• You can list the active account name with this command:

gcloud auth list

Output:

Credentialed accounts: - @.com (active)

Example output:

Credentialed accounts: - google1623327_student@qwiklabs.net

• You can list the project ID with this command:

gcloud config list project

Output:

[core] project =

Example output:

[core] project = qwiklabs-gcp-44776a13dea667a6 Note: Full documentation of gcloud is available in the gcloud CLI overview guide .

Task 1. Create a Compute Engine template

In this task you create an instance template. This is a resource that you use to create virtual machine (VM) instances and managed instance groups (MIGs).

1. In the Google Cloud console, in the Navigation menu (), click Compute Engine > Instance templates.

2. Click Create Instance Template.

3. On the Create an instance template page, specify the following, and leave the remaining settings as their defaults:

Property	Value
Location	Global
Series	E2
Machine type	e2-micro (2 vCPU)
Access scopes	Set access for each API
Access scopes > Compute Engine	Read Only
Firewall	Allow HTTP traffic

4. Click Advanced options.

5. Click Management.

6. In Automation > Startup script, copy and paste the following script:

# Copyright 2021 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License.# You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. sudo apt-get -y update sudo apt-get -y install git sudo apt-get -y install virtualenv git clone https://github.com/GoogleCloudPlatform/python-docs-samples cd python-docs-samples/iap virtualenv venv -p python3 source venv/bin/activate pip install -r requirements.txt cat example_gce_backend.py | sed -e "s/YOUR_BACKEND_SERVICE_ID/$(gcloud compute backend-services describe my-backend-service --global --format="value(id)")/g" | sed -e "s/YOUR_PROJECT_ID/$(gcloud config get-value account | tr -cd "[0-9]")/g" > real_backend.py gunicorn real_backend:app -b 0.0.0.0:80

7. Click Create.

It takes a few moments to create your instance template.

Task 2. Create a managed instance group

In this task you create a managed instance group (MIG), a collection of virtual machine (VM) instances that you manage as a single entity.

1. In the Google Cloud console, in the Navigation menu (), click Compute Engine > Instance groups.

2. Click Create Instance Group.

3. Click New managed instance group (stateless) from the left-hand menu.

4. On the New managed instance group (stateless) page, specify the following, and leave the remaining settings as their defaults:

Property	Value
Name	my-managed-instance-group
Instance template	Select the instance template you created in Task 1.
Location	Multiple zones
Region	us-central1 (Iowa)
Autoscaling > Autoscaling mode	Off: do not autoscale
Number of instances	To change the number of instances, you must first turn off autoscaling; see below. When this is done, set the maximum number value to 3.

Note: Do not forget to set the number of instances after you change the autoscaling mode.

5. Click Create.

It will take a few minutes to create the MIG.

Task 3. Create a Google Cloud self-managed SSL certificate resource

In this task you create a private key, a certificate, and then a self-managed SSL certificate resource. Before you can create a Google Cloud SSL certificate resource, you must have a private key and certificate.

A Google Cloud SSL certificate includes both a private key and the certificate itself, both in PEM format.

Self-managed SSL certificates are certificates that you obtain, provision, and renew yourself. You use this resource to secure communication between clients and your load balancer, which you create in the next task.

Create a private key and certificate

1. On the Google Cloud console title bar, click Activate Cloud Shell (). If prompted, click Continue.

2. To create a new private key with RSA-2048 encryption in the PEM format OpenSSL, run the following command:

openssl genrsa -out PRIVATE_KEY_FILE 2048

Create a CSR

Generate a certificate signing request (CSR) in the PEM format using OpenSSL.

1. Click Open Editor. If prompted, click Open in a new window.

2. In Cloud Shell Editor, click the menu and select File > New File.

3. For the filename, type ssl_config, and press enter.

4. Ensure the create file location is shown as /home > student-XX-XXXXXXXXX/ssl_config and then click OK.

5. Copy and paste the following configuration into the Cloud Editor window:

[req] default_bits = 2048 req_extensions = extension_requirements distinguished_name = dn_requirements prompt = no [extension_requirements] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment [dn_requirements] countryName = US stateOrProvinceName = CA localityName = Mountain View 0.organizationName = Cloud organizationalUnitName = Example commonName = Test

6. Click the menu and select File > Save.

7. Return to the previous tab. You may have to click Open Terminal to resume your Cloud Shell session.

8. To create a certificate signing request (CSR) file, run the following OpenSSL command:

openssl req -new -key PRIVATE_KEY_FILE \ -out CSR_FILE \ -config ssl_config

Sign the CSR

When a Certificate Authority (CA) signs your CSR, it uses its own private key to create a certificate.

• To create a self-signed certificate for testing, run the following OpenSSL command:

openssl x509 -req \ -signkey PRIVATE_KEY_FILE \ -in CSR_FILE \ -out CERTIFICATE_FILE.pem \ -extfile ssl_config \ -extensions extension_requirements \ -days 365

Create a self-managed SSL certificate resource

Before you can create a Google Cloud SSL certificate resource, you must have a private key and certificate.

1. To create a global SSL certificate, use the gcloud compute ssl-certificates create command with the --global flag:

gcloud compute ssl-certificates create my-cert \ --certificate=CERTIFICATE_FILE.pem \ --private-key=PRIVATE_KEY_FILE \ --global

2. In the Authorize Cloud Shell prompt, click Authorize.

Task 4. Create a load balancer

In this task you create a load balancer. HTTP(S) Load Balancing is implemented on Google Front End (GFE). GFEs are distributed globally and operate together using Google's global network and control plane.

To set up a load balancer, your VMs must be in an instance group, which you created in the previous tasks.

1. In the Google Cloud console, in the Navigation menu (), click on View All Products and click Network services > Load balancing.

2. Click Create Load Balancer.

3. Under Application Load Balancer (HTTP/S), click Next.

4. Under Under Public facing or internal only, select Public facing (external), click Next.

5. Under Global or single region deployment, select Best for global workloads, click Next.

6. Under Load balancer generation, select Global external Application Load Balancer, click Next.

7. Click Configure.

8. For Load Balancer Name, type my-load-balancer.

9. Click Backend Configuration > Backend services & backend buckets > Create a Backend Service.

10. On the Create backend service panel, for Name, type my-backend-service.
    You must use the exact name my-backend-service. If you use a different name, the startup script on your VMs won't be able to find the correct Backend Service ID to authenticate requests.

11. In New backend, specify the following, and leave the remaining settings as their defaults:

Property	Value
Instance group	my-managed-instance-group
Port Numbers	80

8. Uncheck Enable Cloud CDN.

9. In Health check, click Create a Health Check.

10. For Name, type my-health-check.

11. For Protocol, select HTTP.

12. Click Save.

13. Click Create.

The Create global external Application Load balancer pane reappears.

14. Click Frontend configuration. Specify the following, and leave the remaining settings as their defaults:

Property	Value
Protocol	Https (includes HTTP/2 and HTTP/3)
IP address	Click Ephemeral, and then select Create IP address
Name	Type static-ip, and then click Reserve.
Certificate	my-cert

15. Click Done.

The Create global external Application Load balancer pane reappears.

16. In Create global external Application Load Balancer, click Create.

The Load balancing page appears and your new load balancer will be created in the list of load balancers.

17. When the Cloud console finishes creating the new load balancer, click the name of the load balancer and note the external IP address under Details > Frontend. You will need it in task 7.

Task 5. Restart your VMs

In this task you restart the VMs in your MIG so that they can correctly authenticate requests from IAP.

1. In the Google Cloud console, in the Navigation menu (), click Compute Engine > Instance groups.

2. Click my-managed-instance-group.

3. Click Restart/Replace VMs.

4. For Operation, click Restart.

5. For Instances, type 3

6. For Minimum wait time, type 0

7. Click Restart VMs.

Task 6. Set up IAP

Configure your firewall

In this task you configure your firewall to block access to the underlying VMs and only allow access through IAP.

1. In the Google Cloud console, in the Navigation menu (), click VPC network > Firewall.

2. Select the default-allow-internal checkbox.

3. Click Delete, and then select Delete to confirm it.

4. Click Create Firewall Rule. Specify the following, and leave the remaining settings as their defaults:

Property	Value
Name	allow-iap-traffic
Targets	All instances in the network
Source IPv4 ranges	130.211.0.0/22, 35.191.0.0/16 (Press Enter after you paste each value in the box)
Protocols and ports	Specified protocols and ports
TCP	80

5. Click Create.

Set up IAP

In this step you set up IAP for your project.

1. In the Google Cloud console, in the Navigation menu (), click Security > Identity-Aware Proxy.

2. Click Enable API.

3. Click Go to Identity Aware Proxy.

4. Click Configure Consent Screen.

Caution: Don't enter any confidential information on the OAuth consent screen. Any information you save to the OAuth consent screen may be publicly visible for anyone who accesses your URL. Email and product details are displayed on the login screen and when someone tries to access a resource for which they don't have permission.

5. Click GET STARTED.

6. In App name , type IAP.

7. In User support email, select the student account. This has the value of student-00-*****@qwiklabs.net and then click NEXT.

8. For Audience select External , then click NEXT.

9. For Contact information, copy and paste the student account Username from the lab window. This matches the value in the previous step.

10. Click NEXT then check the box to agree to the user data policy. Finally, click Create.

11. Next, go back to the first browser tab.

To change information on the OAuth consent screen later, such as the product name or email address, repeat the preceding steps to configure the consent screen.

11. In the Google Cloud console, in the Navigation menu (), click Security > Identity-Aware Proxy.

12. Next to my-backend-service, toggle the on/off switch in the IAP column.

13. In the Turn on IAP dialog, select the checkbox to confirm you have read the configuration requirements.

14. Click Turn On.

Note: If you see an error, click on the error. If you are then prompted to add a firewall rule, edit the rule you created previously to include the port number mentioned in the error. Confirm that OAuth Consent has been set up.

Add principals to the access list

In this step you add principals to the IAP access list for your project.

1. In Identity-Aware Proxy, select the my backend-service checkbox.

2. Click Add Principal.

3. To grant access to yourself, in New Principals, copy and paste your qwiklabs Username from the lab credentials pane.

4. Select the Role of Cloud IAP > IAP-secured Web App User.

5. Click Save.

Confirm principal to access the application by configuring IAM.

Task 7. Test IAP

In the task, you run a curl command to test access your external load balancer, and then verify that it is protected by IAP.

1. In the Google Cloud console, in the Navigation menu (), click on View All Products and click Network services > Load balancing.

2. Click Frontends.

3. On the Google Cloud console title bar, click Activate Cloud Shell (). If prompted, click Continue.

4. Run the following curl command, replacing Load Balancer External IP address with the External IP address of your load balancer:

curl -kvi https://<Load Balancer External IP address> Note: If an IAP generated response that is true is displayed, you have successfully configured IAP for your Compute Engine instance.

5. Scroll up the console page and locate the Http/2 302 redirection to accounts.google.com.

6. Click on the location link.

The link opens to the Google account integrated authentication page.

Note: Because you used a self-signed cert, you cannot access the application itself. However, this confirms that IAP is configured and is protecting traffic. Confirm restrict access with IAP.

Congratulations!

You have successfully used IAP to secure a web application running on a Compute Engine instance.

In this lab, you learned how to:

• Create an instance template.
• Create an instance group.
• Create a self-signed certificate.
• Create a load balancer.
• Configure an Oauth consent screen.
• Grant access to the application using IAP.

End your lab

When you have completed your lab, click End Lab. Google Cloud Skills Boost removes the resources you’ve used and cleans the account for you.

You will be given an opportunity to rate the lab experience. Select the applicable number of stars, type a comment, and then click Submit.

The number of stars indicates the following:

• 1 star = Very dissatisfied
• 2 stars = Dissatisfied
• 3 stars = Neutral
• 4 stars = Satisfied
• 5 stars = Very satisfied

You can close the dialog box if you don't want to provide feedback.

For feedback, suggestions, or corrections, please use the Support tab.

Copyright 2022 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.