⚠️ NOTE
Check out SSH via IAP as an alternative to Bastion Hosts:
- Cloud IAP enables context-aware access to VMs via SSH and RDP without bastion hosts
- Using IAP for TCP forwarding
⚠️ NOTE
This template creates a Bastion host. Once it had been deployed, one can use
gcloud compute ssh <BASTION_HOST_NAME> --zone <ZONE> to connect to
the Bastion host, and then use
gcloud compute ssh <TARGET_HOST_NAME> --zone <ZONE> --internal-ip to SSH to
another host, within the same network, that has no external IP assigned.
- Install gcloud
- Create a GCP project, set up billing, enable requisite APIs
- Grant the compute.computeAdmin IAM role to the Deployment Manager service account
See the properties section in the schema file(s):
- Clone the Deployment Manager Samples repository:
git clone https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit- Go to the dm directory:
cd dm- Copy the example DM config to be used as a model for the deployment; in this case, examples/bastion.yaml:
cp templates/bastion/examples/bastion.yaml \
my_bastion.yaml- Change the values in the config file to match your specific GCP setup (for properties, refer to the schema files listed above):
vim my_bastion.yaml # <== change values to match your GCP setup- Create your deployment (replace <YOUR_DEPLOYMENT_NAME> with the relevant deployment name):
gcloud deployment-manager deployments create <YOUR_DEPLOYMENT_NAME> \
--config my_bastion.yaml- In case you need to delete your deployment:
gcloud deployment-manager deployments delete <YOUR_DEPLOYMENT_NAME>