GCP Jumpbox

Accessing a private Cloud SQL instance securely is a common challenge when working with cloud-based infrastructure. Direct database exposure to the internet is risky, which is why using a jumpbox (bastion host) to access a database in a private subnet is a standard practice.

This guide explains how to set up and use an SSH tunnel through a jumpbox to connect to a private Cloud SQL instance in Google Cloud. By following these steps, you can securely manage your database while keeping it protected within a private network.

1. Go on the VM instances section on GCP and click on create instance .
2. You can use the default machine type (2vCPU, 4GB) , no need to edit the default machine configuration.
3. For each client you need to grant access to the Jumpbox, add their public ssh keys in the Managed Access section of the Security tab. Make sure to always add all the SSH keys through the GCP UI or cli only. Adding them by modifying the .ssh/authorized_keys directly on the vm instance is not reliable because GCP automatically overwrite this file regularly.
4. Click on Create.

5. Connect to the jumpbox through ssh. The ssh user you need to use to connect is the user of your ssh key. For example, if your public ssh key is of the form ssh-rsa xxxx hello@example.com then you should connect using ssh hello@<jumpox-public-ip>. The public IP, also called external IP on GCP, is displayed on the main page of the VM service.
6. Retrieve your Cloud SQL database private IP in the Cloud SQL service, on the main page of the database configuration. If you do not have yet a private IP allocated, you need to modify the DB and set up Privace Services Access, which is straightforward, you can keep the default suggested configuration.
7. On the VM, test that the DB is reachable, you can execute the following, where db_port is:

   1. 5432 for Postgres

   2. 3306 for MYSQL

   3. 1433 for SQL Server

sudo apt install telnet
telnet <db_private_ip> <db_port>

You should receive the following message:

alexis@jumpbox:~$ telnet <db_private_ip> <db_port>
Trying <db_private_ip>...
Connected to <db_private_ip>
Escape character is '^]'.

If you only see trying <db_private_ip>... it means the DB is not reachable. Make sure to check that you are using the right private IP, right port, and that there is a route from the subnet of the jumpbox to the subnet of the DB.

1. Whitelist your VM to add an additional layer of security by allowing only a limited list of IPs to ssh into your Jumpbox. For this go to the Firewall policies service and create a new firewall rule.
2. Select the netork / vpc where the jumpbox runs.
3. Whitelist the public IP of the client you want to grant access to the jumpbox. You need to precise the following:

   1. Priority: 0 (highest priority)

   2. Traffic direction: Ingress

   3. Action on Match: Allow

   4. Source Ipv4 ranges: <client_public_ip_to_whitelist>/32

   5. Destination IPv4 filter: <jumpbox_private_ip>/32
4. Allow only access through SSH. The default port for SSH connection 22 and it will be the one to whitelist. We should deny connection to any other port, i.e. through any other protocol. Once this is done you can click on Create.
5. Now that we allowed access to the Jumpbox from the client public IP, we need to block traffic coming from all other IPs. We will create another rule to block traffic to that instance from any other IP. We will use the same network as last step. This time we will set priority to 1, this means this rull will have lower priority than the firewall created previously.
6. Deny access for the following source IPv4 range 0.0.0.0/0 Make sure to disable all protocols and ports. You can then click on create to confirm the creation of the firewall rule.
7. Now we need to test that the jumpbox is reachable only from the client(s) you granted access to the Jumpbox. For this, try to ssh from other clients, the request should timeout.

If there is anything we can help with, feel free to ping us at hello@stacksync.com, we're happy to help!