SA Bagus

Purpose : We want to protect the origin server from being hit directly over the internet so we make sure only CDN/WAF connect to the backend also known as Origin Protection. Scenario:   https://www.indusface.com/blog/fundamentals-of-origin-server-protection/ CDN+WAF---->GCP Load Balancer --->VM Nginx Solution: Modify Nginx Configuration ... location / {      allow 100.100.100.0/24 ; //Change with your CDN/WAF source IP that connects to the backend.     deny all; } ... set_real_ip_from 1.1.1.1/32; // Change with your LB Public IP address set_real_ip_from 130.211.0.0/22; // Private IP range for GCP Load Balancers set_real_ip_from 35.191.0.0/16; //Private IP range for GCP Load Balancers real_ip_header X-Forwarded-For;  real_ip_recursive on; ... Save and restart the services. Check the Log tail -f /var/log/nginx/access.log tail -f /var/log/nginx/error.log If there is client over the internet hit directly IP the load balancer, it will be blocked by Nginx (403 Forbidden) you should see

Membuat VPC Network VPC adalah isolated network untuk setiap customer, GCP VPC Network bisa across region, didalam nya bisa membuat subnetwork untuk masing-masing region, didalam nya ada firewall yang bisa dipasang untuk mengatur/membatasi traffic ke resources yang ada didalam VPC seperti instance. create-network.sh #!/bin/bash # Set your GCP project ID project_id=" your-project " # Set the VPC network name vpc_name=" your-global-vpc-network " # Function to create a subnet create_subnet() {   local subnet_name=$1   local ip_range=$2   local region=$3  gcloud compute networks subnets create $subnet_name \     --network $vpc_name \     --range $ip_range \     --region $region } # Set the project gcloud config set project $project_id # Create the VPC network echo "y" | gcloud compute networks create $vpc_name --subnet-mode custom --project=$project_id # Vars subnet_name=" your-subnetwork1 " ip_range=" 10.1.1.0/24 " region=" asia-south

Okey pada kali ini saya akan membagikan cara bagaimana SSH ke Virtual Machine di Google Cloud tanpa IP Publik yaitu dengan menggunakan feature Google IAP, apa itu Google IAP bisa baca disini yaa https://cloud.google.com/iap/docs/concepts-overview Konsep Cloud IAP ini seperti TCP Forwarding, tutorial kali ini berfokus sebagai langkah-langkah ringkas untuk mempermudah praktik, okey langsung saja. Sebelumnya pastikan untuk mencoba bukan di server production yaa, bisa coba coba dulu bikin VM buat POC, okay.  Berikan permission untuk user yang mau akses dengan IAP dengan roles berikut: Compute OS Admin Login IAP-secured Tunnel User Service Account User Jika Virtual Machine yang dibuat sudah memiliki IP Address bisa meremove nya terlebih dahulu Kemudian membuat firewall rule untuk allow network cloud IAP google gcloud compute firewall-rules create allow-ssh-ingress-from-iap \   --direction=INGRESS \   --action=allow \   --rules=tcp:22 \   --source-ranges=35.235.240.0/20 \   --network=bagusss

   One of the interesting topics of the network is NAT which NAT can gives access to the client/server with local network to the internet, in other hand without exposing internal client/server directly to the internet, its very useful right. So without further lets check it out this command: Create Router gcloud compute routers create cloudnat-us-central1 --project= essential-graph-385114 --region= us-central1 --network= vpc2023 and then crate NAT via this menu Previously I had instance inside the vpc2023 without the external public IP.  its very easy right, with the above command we can give the access to the server inside vpc2023 in the region us-central1, please change the project, vpc name, region according to your environment. Thats't thank you.  Additional information: Cloud NAT is a distributed, software-defined managed service. It's not based on proxy VMs or appliances. Cloud NAT configures the  Andromeda software  that powers your Virtual Private Cloud (VPC) network

To create a GCP logging to detect who last accessed identity email containing "@bagussa.com" in the last 90 days, you can follow the steps below: Open the GCP console and navigate to the Logging section. Click on "Logs Explorer" and select the project where you want to create the logging. In the query bar, enter the following query: resource.type= "audited_resource" logName: "logs/cloudaudit.googleapis.com%2Factivity" protoPayload.authenticationInfo.principalEmail: "@bagussa.com" timestamp>= "`date -d '-90 days' -u +%FT%TZ`" This query will filter the logs of audited resources in the past 90 days that contain the email address "@bagussa.com" in the authentication information. Click on "Create Metric" and fill in the required information to create a new metric for this query. Once the metric is created, you can set up an alert policy to notify you when a user accesses an identity email containi

  This model for access management has three main parts: Principal . A  principal  can be a Google Account (for end users), a service account (for applications and compute workloads), a Google group, or a Google Workspace account or Cloud Identity domain that can access a resource. Each principal has its own identifier, which is typically an email address. Role . A  role  is a collection of permissions. Permissions determine what operations are allowed on a resource. When you grant a role to a principal, you grant all the permissions that the role contains. Policy . The  allow policy  is a collection of role bindings that bind one or more principals to individual roles. When you want to define who (principal) has what type of access (role) on a resource, you create an allow policy and attach it to the resource. Ref:  https://cloud.google.com/iam/docs/overview

  Steps summary Load balancer ada beberapa komponen yang bisa di integrasi kan seperti berikut: 1. Health check 2. Instance Group 3. Auto Scaling Untuk mempermudah pemahaman bisa melihat diagram berikut: Berikut adalah salah satu contoh saja architecture load balancer di GCP https://fabianlee.org/2022/03/30/gcp-global-external-https-lb-for-securely-exposing-insecure-vm-services/ Mari bahas satu per satu Pada tutorial kali ini akan simple aja yaitu menggunakan unmanaged instance group karena belum butuh auto scaling. Berikut jenis-jenis instance group ada di sebelah kiri pada gambar dibawah ini, instance group ini akan menjadi pool/backend dari load balancer. Jenis-jenis instance group Langkah-langkah konfigurasi: 1. Buat instance 2. Buat instance group, masukan instance ke dalam group ini Bikin instance group gcloud compute instance-groups unmanaged create instance-group-name --project= your-project --zone=us-central1-a Bikin Port mapping gcloud compute instance-groups unmanaged set-n