Google Cloud provider behavior with firewall rules

[boredabdel]

I was trying out devpod today with Google Cloud as a Backend provider. And I noticed a default potentially unsecure behavior

The provider assumes a firewall rule that allows incoming ssh connections. This is a valid assumption because for new projects an allow-all SSH ingress rule is present [1]

Now this is the default behavior but not the recommended one. Typically for safety reasons we recommand users to remove these default firewall rules. The reason is simply because any VM that has a Public IP will be by default open to the Internet on SSH (authentication via password is disabled, only ssh authn is enabled on the VM images provided by Google cloud)

The recommended way is to use Identity Aware Proxy (IAP) Port Forwarding (aka Tunneling) [2]. With IAP Tunneling users have to configure a single Firewall rule for the entire project (they can use network tags to restrict it to specific vm's) and use IAM to grant Access to users. This method has two advantages:

• You don't need a wide open firewall rule. The rule required for IAP opens up only to Google Proxies which are controller by IAM.
• VM's don't need a Public IP. So users will save money as Public IP's cost money [3]

The catch is that to connect to a VM using IAP you need to pass a flag to gcloud --tunnel-through-iap. I tried to remove the default firewall rules. Configure IAP and try out devpod but it doesn't work. The client doesn't seem to have a way to pass extra flags!

[1] https://cloud.google.com/firewall/docs/firewalls#more_rules_default_vpc [2] https://cloud.google.com/iap/docs/using-tcp-forwarding#preparing_your_project_for_tcp_forwarding [3] https://cloud.google.com/vpc/pricing

[pascalbreuninger]

Hi @boredabdel, thanks a lot for opening the issue.

If I understood correctly this is a matter of changing the defaults we currently have in the gcloud provider when creating new instances. Setting the PUBLIC_IP_ENABLED option to false should already use IAP tunneling to access the instance.

[boredabdel]

Yes but not enough. Setting the PUBLIC_IP_ENABLED will only disable the Public IP. For IAP you still need to add a firewall rule https://cloud.google.com/iap/docs/using-tcp-forwarding#preparing_your_project_for_tcp_forwarding

[pascalbreuninger]

Fair enough. So far we've shied away from altering your whole project when creating a workspace to avoid unintended side effects. From my point of view there are two improvements we can make:

1. Add setup steps for IAP in the README - will do anyway
2. Warn users explicitly when turning this option on that we're going to make adjustments to their project

[boredabdel]

I completely understand that you want to keep the client as a agnostic as possible.

1 - That would be great 2 - You don't have to make the changes. If it's possible to prompt the user with instructions or a link to the doc when they turn on private instance on that would be enough!