This document describes how to connect to a virtual machine (VM) instance through its internal IP address, using a bastion host VM . Bastion hosts provide an external point of entry into a Virtual Private Cloud (VPC) network that contains VMs that don't have external IP addresses. When using a bastion host, connect to the bastion host first, and then connect to the target VM.
Connecting to a VM using its internal IP address is useful if the VM doesn't have an external IP address. If the VM does have an external IP address, connect to the VM using its external IP address . If you need to connect to a VM that doesn't have external IP addresses and you can't use a bastion host, review the other methods listed in Connection options for internal-only VMs .
Supported operating systems
These connection methods are supported for all public Linux images that are available on Compute Engine. For Fedora CoreOS images, you must set up SSH access before you can use these methods.
Create a bastion host VM
Create a Compute Engine VM within the private cluster internal network to act as a bastion host that can manage the cluster.
Console
Create a bastion host VM by doing the following:
-
In the Google Cloud console, go to the Create an instancepage.
- Specify the following VM details:
- Name: the name of your VM.
- Machine type: a machine type. Choose a small machine type, such
as
e2-micro. - Boot disk Operating system: any Linux OS.
-
Expand the Advanced optionssection, and do the following:
-
In the Network interfacessection, select the same VPC network and subnet as the target VM.
-
For External IPv4 address, select Ephemeral.
-
-
To create and start the VM, click Create.
gcloud
Create a bastion host VM using the gcloud compute instances create
command
:
-
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
-
Create the bastion host VM by running the following command:
gcloud compute instances create VM_NAME \ --zone= ZONE \ --machine-type=e2-micro \ --image-family= IMAGE_FAMILY \ --image-project= IMAGE_PROJECT \ --network-interface=subnet=SUBNET,address=""
Replace the following:
-
VM_NAME: the name of the VM. -
ZONE: the zone for VM. -
IMAGE_FAMILY: a Linux image family . -
IMAGE_PROJECT: the image project containing the image. -
SUBNET: the same VPC subnet as the target VM. If you use the default VPC, theSUBNETisdefault.
-
Connect to VMs
To connect to a VM, complete the steps in one of the following tabs.
gcloud
Permissions required for this task
To perform this task, you must have the following permissions :
- All permissions that are included in the Service Account User role (
roles/iam.serviceAccountUser) on the service account and your user account. For details about how to grant this role on a singular service account, see Allowing a principal to impersonate a single service account . - If you use OS Login, you require all the permissions that are included in one of the OS Login IAM roles on the service account and your user account.
- If you don't use OS Login, you also require the
compute.projects.setCommonInstanceMetadatapermission on the service account and your user account.
You must additionally assign your service account to a VM and set the cloud-platform
access scope
on the VM.
Connect to a VM using SSH through a bastion host by running the gcloud compute ssh
command
:
-
Connect to the bastion host VM by running the following command:
gcloud compute ssh BASTION_NAMEReplace
BASTION_NAMEwith the name of the bastion host VM. -
From the bastion host VM, connect to the main VM through it's internal IP address by using the
--internal-ipflag :gcloud compute ssh VM_NAME \ --internal-ip
Replace
VM_NAMEwith the name of the VM that you want to connect to.
