Forem: Jonathan Aseh

Implement Load Balancing on Compute Engine in GCP

Jonathan Aseh — Mon, 23 Sep 2024 07:19:36 +0000

Task 1. Configure the region and Zone:

Visual Basic

gcloud config set compute/region us-east1 gcloud config set compute/zone us-east1-d

Task 2. Create the instance:

Visual Basic

gcloud compute instances create nucleus-jumphost-397 \ --zone=us-east1-d \ --machine-type=e2-micro \ --image-family=debian-11 \ --image-project=debian-cloud \ --tags=nucleus-network

Task 3. Configure the web servers using nginx

Visual Basic

cat << EOF > startup.sh #! /bin/bash apt-get update apt-get install -y nginx service nginx start sed -i -- 's/nginx/Google Cloud Platform - '"\$HOSTNAME"'/' /var/www/html/index.nginx-debian.html EOF

Task 4. Create an instance template.

Mermaid

Code

gcloud compute instance-templates create nucleus-server-template \ --region=us-east1 \ --machine-type=e2-medium \ --image-family=debian-11 \ --image-project=debian-cloud \ --tags=nucleus-network \ --metadata-from-file startup-scri

--metadata-from-file startup-script=startup.sh

Task 5. Create a managed instance group based on the template.

gcloud compute instance-groups managed create nucleus-webserver-group \ --template=nucleus-server-template \ --size=2 \ --base-instance-name=nucleus-webserver \ --zone=us-east1-d

Task 6. Create a firewall rule.

Visual Basic

gcloud compute firewall-rules create accept-tcp-rule-843 --allow tcp:80 --target-tags=nucleus-network

Task 7. Create a health check.

Visual Basic

gcloud compute http-health-checks create http-basic-check --port 80

Task 8. Create a backend service and add your instance group as the backend to the backend service group with named port (http:80)

Visual Basic

gcloud compute backend-services create web-backend-service --protocol=HTTP --port-name=http --health-checks=http-basic-check --global

Task 8.b. Add your instance group as the backend to the backend service group with named port (http:80)

Visual Basic

gcloud compute backend-services add-backend web-backend-service --instance-group=nucleus-webserver-group --instance-group-zone=us-east1-d --global (This corrects the ports fail error) gcloud compute instance-groups managed set-named-ports nucleus-webserver-group --named-ports http:80 --zone=us-east1-d

Task 9.b Target the HTTP proxy to route the incoming requests to the default backend service.

Visual Basic

gcloud compute target-http-proxies create web-http-proxy --url-map=web-url-map

Task 10. Create a forwarding rule.

Visual Basic

gcloud compute forwarding-rules create http-content-rule --target-http-proxy=web-http-proxy --ports=80 --global

Note: Wait for 5 to 7 minutes, then check the external IP to see the congratulatory NGINX Server display.

Securing a Virtual Machine Using BeyondCorp Enterprise (BCE)

Jonathan Aseh — Mon, 16 Sep 2024 20:00:35 +0000

Understand the BeyondCorp Enterprise Model

-Zero Trust: BCE operates under a zero-trust security model, meaning no one is automatically trusted—internal or external to your network.
-Secure Access: It secures applications,devices, and networks by verifying user identity, device health, and context before access is granted.
Set Up BeyondCorp Enterprise

-Google Cloud Console: To use BCE,you need a Google Cloud account. Begin by logging into the Google Cloud Console at console.cloud.google.com.
- Navigate to the APIs & Services section and enable the API to integrate it into your security strategy.

Configure a Virtual Machine (VM) in Google Cloud

- Create a VM
- Go to the Compute Engine section and select >Create Instance.
- Choose your preferred machine configuration (OS, size, region) - Ensure proper firewall rules are configured during VM setup, restricting unnecessary traffic.
- SSH Access: Enable SSH access for your VM.
Set Up Identity-Aware Proxy (IAP) for VM Access

-Enable IAP

Navigate to > Identity-Aware Proxy under Security in the Google Cloud Console.
Enable IAP for your project
Configure VM access via IAP**:
In the IAP settings, select the VM instances you want to protect.
Set up access control policies to manage who can SSH into the virtual machines, verifying identity and device compliance before allowing entry.

Implement Context-Aware Access
Define Access Levels
- Set access levels based on device compliance, user identity, location, and other risk factors.
In Access Context Manager create access levels with specific conditions, such as device encryption or specific IP ranges.
Apply Access Policies
Attach these access levels to your VM’s resources, ensuring that only authorized and compliant users can access the machine.
Monitor and Enforce Security Policies
- Real-Time Monitoring Use the Security Command Center to monitor VM access in real-time, identifying suspicious activities or failed access attempts
Audit Logs
Enable audit logging for both the VM and BCE. This will track access attempts and flag any unauthorized access.
Logs can be viewed in Cloud Logging.

Congratulations

Title: How I Configured IAM in Google Cloud Step by Step.

Jonathan Aseh — Tue, 10 Sep 2024 11:23:24 +0000

In this guide,I'll walk you through how I successfully configured Identity and Access Management (IAM) on Google Cloud. IAM allows you to manage access to resources securely by defining who has access and what they can do with those resources.

Step 1:Accessing IAM on Google Cloud.

1.Log in to the Google Cloud Console
2.Navigate to the Navigation Menu(hamburger icon in the upper-left corner)

3.Select IAM & Admin >IAM
Here, you’ll see a list of all members with access to the project and their assigned roles.

Step 2:Adding a New User or Service Account

1.In the IAM dashboard,click Add

2.In the New principals field, input the email addresses of users,groups,or service accounts to whom you want to grant access.

Under the Role dropdown menu, select the appropriate role. Predefined roles such as Viewer, Editor, or Owner offer varying degrees of permissions. If you're configuring for specific tasks, select a more granular predefined role like roles/storage.admin

4.Click Save.
This process adds a new user with the defined role and permissions for your project.

Step 3:Assigning Roles to Existing Users.

Find the user in the IAM dashboard.
Click the >Edit< icon next to their name.
Adjust their role by selecting a new one from the dropdown menu.
Click Save. Ensure the roles you assign follow the principle of least privilege—only give users the permissions they absolutely need

Step 4:Creating Custom Roles for Specific Permissions.

Navigate to IAM & Admin > Roles.
Click Create Role.
Provide a name,description, and choose the role’s launch stage (Beta, General Availability, etc.).
Add permissions to the role by selecting specific services (e.g, storage.buckets.create` for managing Cloud Storage).
Save the custom role and apply it to users as needed. This allows for more fine-grained control over user permissions for specific tasks or resources.

Step 5:Setting IAM Policies at Different Resource Levels.
1.For resource-level permissions (e.g., Cloud Storage or Compute Engine):

Navigate to the resource.
Go to the **Permissions or IAM section. - Add users or modify their permissions specific to that resource. For example,you might assign roles/storage.objectAdmin` to a user for a specific Cloud Storage bucket,giving them control over the objects within it.

Step 6:Auditing and Managing Permissions.
1.Use IAM Recommender to get insights on permissions that are overly permissive and tighten them.
2.Check Cloud Audit Logs to monitor changes in IAM configurations.
3.Use the Policy Troubleshooter if any access issues arise.
These tools help maintain the principle of least privilege and ensure your cloud environment is secure.

Step 7:Using the Command Line Interface (CLI) for IAM Configuration

For those who prefer working with the CLI, Google Cloud’s gcloud command-line tool offers robust IAM management:

-Grant a role to a user:

bash gcloud projects add-iam-policy-binding [PROJECT_ID] \ --member="user:[USER_EMAIL]" \ --role="roles/[ROLE]"

-View the current IAM policy for a project:

bash gcloud projects get-iam-policy [PROJECT_ID]

-Remove a role from a user:

bash gcloud projects remove-iam-policy-binding [PROJECT_ID] \ --member="user:[USER_EMAIL]" \ --role="roles/[ROLE]"

Using the CLI allows you to automate IAM tasks and manage policies more efficiently.

Let me know if you have questions feedbacks on this guild, happy configuring!