Hiding Public IP Addresses in Google Cloud with Terraform: A Step-by-Step Guide

5Min to read 0 View

In today’s interconnected world, security is paramount, especially when deploying applications in the cloud. Exposing public IP addresses can make your resources vulnerable to attacks. Google Cloud Platform (GCP) offers robust networking capabilities that, when combined with infrastructure-as-code tools like Terraform, allow you to effectively hide your public IP addresses. This ensures that your applications are only accessible through internal networks or controlled ingress points, significantly enhancing your security posture. This article provides a step-by-step guide to achieving this with Terraform.

Why Hide Your Public IP in Google Cloud? Enhanced Security

Exposing your virtual machines (VMs) or other resources directly to the internet via public IP addresses creates a direct attack surface. Hiding these IPs offers several key benefits:

  • Reduced Attack Surface: Limiting direct exposure minimizes the potential for unauthorized access.
  • Improved Security Posture: By controlling access through internal networks and proxies, you gain more control over traffic flow.
  • Compliance Requirements: Many compliance regulations require you to protect sensitive data and limit external access.

Terraform: Infrastructure as Code for GCP Networking

Terraform is a powerful tool for managing and provisioning your infrastructure as code. By defining your network configurations in Terraform, you can automate the creation and management of resources, ensuring consistency and repeatability. Using Terraform allows you to version control your infrastructure changes, making it easier to track and revert modifications.

Creating a Private Network with Terraform

The first step is to create a Virtual Private Cloud (VPC) network in GCP. This will be the foundation for your private network.


resource "google_compute_network" "private_network" {
name = "private-network"
auto_create_subnetworks = false # We'll create subnets explicitly
}

resource "google_compute_subnetwork" "private_subnet" {
name = "private-subnet"
ip_cidr_range = "10.10.0.0/24"
network = google_compute_network.private_network.id
region = "us-central1"
private_ip_google_access = true # Enable private access to Google APIs
}

Creating a VM without a Public IP

The key to hiding the public IP is to create a VM instance without assigning an external IP address. Instead, the VM will only have an internal IP address within your private subnet.


resource "google_compute_instance" "private_vm" {
name = "private-vm"
machine_type = "e2-medium"
zone = "us-central1-a"

boot_disk {

initialize_params {
image = "debian-cloud/debian-11"
}
}

network_interface {
subnetwork = google_compute_subnetwork.private_subnet.id
# No public IP here!
}

metadata_startup_script = "sudo apt-get update && sudo apt-get install -y nginx"
}

Accessing the VM: Using a Bastion Host

Since the VM has no public IP, you’ll need a way to access it. A common approach is to use a bastion host, a publicly accessible VM that acts as a jump server. The bastion host does have a public IP but is hardened and configured to only allow SSH access from specific IP ranges.


resource "google_compute_instance" "bastion_host" {
name = "bastion-host"
machine_type = "e2-micro"
zone = "us-central1-a"

boot_disk {
initialize_params {
image = "debian-cloud/debian-11"
}
}

network_interface {
subnetwork = google_compute_subnetwork.private_subnet.id
access_config {
# Bastion Host NEEDS a public IP
}
}

metadata = {
ssh-keys = "your_username:ssh-rsa AAAAB3Nz...your_public_key..."
}}

Important: Replace `your_username` and `ssh-rsa AAAAB3Nz…your_public_key…` with your actual username and public SSH key.

Creating Cloud NAT for Internet Access (Optional)

If your private VM needs to access the internet (e.g., to download packages), you can configure Cloud NAT. Cloud NAT allows your VM to initiate outbound connections to the internet without exposing a public IP address. All outbound traffic will appear to originate from a Google-managed IP address.


resource "google_compute_router" "nat_router" {
name = "nat-router"
region = "us-central1"
network = google_compute_network.private_network.id
}

resource "google_compute_router_nat" "nat_config" {
name = "nat-config"
router = google_compute_router.nat_router.name
region = "us-central1"
source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"
nat_ip_allocate_option = "AUTO_ONLY"
}

Resource Description Purpose
google_compute_network Defines a VPC network. Creates the private network foundation.
google_compute_subnetwork Defines a subnetwork within the VPC. Creates a private subnet for resources.
google_compute_instance (Private VM) Creates a VM without a public IP address. Hosts the application securely.
google_compute_instance (Bastion Host) Creates a VM with a public IP address. Provides secure access to the private VM.
google_compute_router Creates a Cloud Router instance. Required for Cloud NAT.
google_compute_router_nat Configures Cloud NAT. Allows private VMs to access the internet.

FAQ ⎼ Terraform and Private IPs

Why not just use firewall rules?

Firewall rules are essential, but hiding the public IP provides an extra layer of defense. It prevents direct attacks on the VM instance itself. Firewall rules can be misconfigured, leaving vulnerabilities; hiding the IP reduces the potential attack surface.

Is Cloud NAT required?

No, Cloud NAT is optional. It’s only needed if your private VM needs to initiate outbound connections to the internet. If your VM only needs to serve internal traffic, you don’t need Cloud NAT.

How do I SSH into the private VM?

You’ll SSH into the bastion host first. From there, you can SSH into the private VM using its internal IP address. You’ll need to ensure the bastion host is configured to forward traffic to the private VM.

What if I need to access services running on the private VM from the outside world?

You can use a load balancer or a reverse proxy; These services can have public IP addresses, but they will forward traffic to your private VMs, effectively hiding the VMs’ IP addresses. This adds a layer of security and allows for traffic management.

Hiding public IP addresses is a crucial step in securing your Google Cloud infrastructure. By leveraging Terraform and GCP’s networking capabilities, you can effectively minimize your attack surface and enhance your overall security posture. This approach, using private networks, bastion hosts, and optionally Cloud NAT, provides a robust and scalable solution for deploying secure applications. Remember to regularly review and update your Terraform configurations to adapt to evolving security threats and best practices. By embracing infrastructure-as-code and following security best practices, you can confidently deploy and manage your applications in the cloud while minimizing the risk of unauthorized access. The use of Terraform offers a repeatable and version-controlled approach, ensuring consistency and reliability in your deployments. Always prioritize security when designing and deploying your cloud infrastructure.

Author

  • Daniel is an automotive journalist and test driver who has reviewed vehicles from economy hybrids to luxury performance cars. He combines technical knowledge with storytelling to make car culture accessible and exciting. At Ceknwl, Daniel covers vehicle comparisons, road trip ideas, EV trends, and driving safety advice.

Related posts:

  1. The Importance of Google Reviews for Business Growth
  2. G Suite (Google Workspace) vs. JumpCloud: Choosing the Right Platform for Your Business
  3. How to Start a Clothing Line: A Step-by-Step Guide
  4. What is Bluetooth? Definition, Uses, and Types in 2024
Tech