Cross Project Access

[Ward Harold]

According to: https://cloud.google.com/docs/enterprise/best-practices-for-enterprise-organizations it is possible to access resources, e.g., networks, VMs, etc., defined in one project from a separate project. We have a cluster of VMs in Project A where our application services run; we want to set up a separate project, Project B, where all of our "operations" work, e.g., cron jobs, app administration, etc., originates. That way we can separate concerns so that Ops folks have access to operational resources but developers don't.

As an experiment we create a new "ops" project that contains an "ops" network and a single VM. I created a firewall rule to allow the bastion host in our "dev" project to log into the ops VM. Unfortunately, we get no joy. Attempting to set up an ssh session times out, pings are unsuccessful as well - even though there's a firewall rule in place to allow ICMP to the ops VM.

Has anyone done this sort of thing successfully?

... WkH

[Kamran (Google Cloud Support)]

Hello Ward,

This issue sounds like is related to your network's firewall rules. Can you post the firewall rules that you've created for the "ops" network? You can use the following command to generate a list of firewall rules (assuming your network name is `ops`):

gcloud compute firewall-rules list --filter network=ops 

Sincerely,

[Ward Harold]

Hi Kamran, thanks for looking into this. There are only three firewall rules on the "ops" network in Project B at the moment:

bastion-ping             bastion               icmp                                             Apply to all targets

bastion-ssh              10.xxx.0.xx/32    tcp:22                                           Apply to all targets

ops-allow-internal    10.xxx.0.0/9        tcp:0-65535;udp:0-65535;icmp    Apply to all targets

where 'bastion' is a tag defined in Project A and 10.xxx.0.xx/32 is the IP address of the bastion host on the "work" network in Project A.

Note that all of Project A's networks are "legacy" networks where as the Project B ops network is a subnet.

... WkH

[Kamran (Google Cloud Support)]

Hi Ward,

As described in Google Cloud networking article: Any communication between instances in different networks, even within the same project, must be through external IP addresses. 

That being said, you may setup connections between your VMs in different networks using one of the following methods:

1. Connecting them via their external IP addresses. In this case, you will need to modify your firewall rules on 'ops' network and specify the external IP address of bastion host as source for the rules.

2. The second option will be using Cloud VPN to connect two different GCP networks or regions. In this case, your VMs on two different networks can communicate to each other using their internal IP addresses and your firewall rules should be modified to specify internal IP address range of the 'work' network as source IP addresses.

Please also note that tags are associated with an instance, not an IP address, source tags can only be used to control traffic traveling from an instance inside the same network as the firewall.

I hope this will be helpful.

Sincerely,

[Ward Harold]

Thanks Kamran, my bad for expecting the internal addresses to work. We will have to use the VPN option since we don't want to allow access to Project B from external IPs ... WkH

[Ward Harold]

Kamran, one more question; is it correct to assume that hostname resolution will not work cross project?

[Kamran (Google Cloud Support)]

Hi Ward,

That's correct. As described in 'Who Handles What' section of the Networks and Firewalls article, each instance's metadata server acts as a DNS server. It stores the DNS entries for all network IP addresses in the local network and calls Google's public DNS server for entries outside the network. You cannot configure this DNS server, however you can set up your own DNS server if you like and configure your instances to use that server instead by editing the /etc/resolv.conf file.

So you may set up and use your own DNS server to resolve all hostnames across networks that are connected via Cloud VPN.

I hope this answers your question.

Sincerely,