Internet Gateway in GCP

[Sujeet Gupta]

Hi GCP Team,

I need some input about internet gateway of GCP.

In AWS we have something like internet gateway which provide inbound and outbound access to internet.

1) What is the counterpart in GCP

2) I am trying to develop custodian based control to remediate the event of internet gateway creation. In AWS we have something like 'CreateInternetGateWay',

Do we have similar event in GCP.

Thank you,

Sujeet

[Sujeet Gupta]

Hi Kapil,

I am trying to build control to remediate default internet gateway association with compute engine.

I looked into the sample examples but I could not find anything related to internet gateway.

Looking forward for your input on this.

Thank you,

Sujeet

4252864465

--
© 2018 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 
Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-dis...@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.
---
You received this message because you are subscribed to the Google Groups "gce-discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gce-discussio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/023ff8ac-8e27-4227-ac6f-3f4316e95b58%40googlegroups.com.

[Kirill Katsnelson]

For outbound traffic, you're probably looking for the Cloud NAT. I am unfamiliar with AWS and do not quite understand what are the "events" you are referring to (are they passive logged items or active triggers for some code?), but you can enable NAT logging and receive log events for any new connection. You can also trigger a Cloud Function or broadcast a PubSub message (the Cloud Function ≈ AWS Lamda, this is as much as I know of AWS) based on logged events (the last bullet point under the Events subheading).

I'm generally much less familiar with the inbound traffic (I'm running only computational batch loads in GCE), but possibly HTTP Load Balancers are what you are looking for? The answer depends on the type of your traffic, of course, and how you handle it: Web site HTTP serving (then, GCE or AppEngine?), API endpoint requests, your call. If you want to monitor such things as SSH connection, VPC logging may be a solution, but these logs are very chatty, so plan your ingestion filtering carefully to avoid both clutter and extra charges. Cloud IAP is a much more secure way to SSH into the network, as it connect to the internal addresses (I dropped all my bastion hosts when it become available), and it also can audit and log access. Then you are back to Stackdriver's logging to react to these events, as I outlined in the first paragraph.

Just FYI to avoid a confusion, I'm only a user, not affiliated with GCP support.

Hope this helps,

 -kkm

[Marcel Florez]

Hello Sujeet,

Related to your questions:

1. The Default Internet Gateway in GCP is just a next hop to the Internet and it's assigned by the system or you can select it as a next hop when creating Custom routes.[1]

2. There is no something similar as 'CreateInternetGateWay' in GCP. You will have access to the internet while the instance has an external public IP and the firewall rules allow that traffic. Please notice that there is an implicit and default "deny all" ingress rule and an "allow all" egress rule, so you add rules as the needs of your scenario. If you don't need your instances to have external IP, you can also use Cloud NAT to allow internet access.[2]

However, to better assist you and to understand a bit more what you are trying to achieve. Could you please provide more information about your scenario?

Additionally, if you are looking more technical questions please post your question at serverfault.com where you have access to a large community of enthusiasts and experts to share ideas with and get support from. 

[1] Route types: https://cloud.google.com/vpc/docs/routes#types_of_routes

[2] Cloud NAT: https://cloud.google.com/nat/docs/using-nat

On Monday, January 6, 2020 at 7:11:56 PM UTC-5, Sujeet Gupta wrote:

Hi Kapil,

I am trying to build control to remediate default internet gateway association with compute engine.

I looked into the sample examples but I could not find anything related to internet gateway.

Looking forward for your input on this.

Thank you,

Sujeet

4252864465

On Mon, Jan 6, 2020 at 1:44 PM Sujeet Gupta <sujeet....@gmail.com> wrote:

Hi GCP Team,

I need some input about internet gateway of GCP.

In AWS we have something like internet gateway which provide inbound and outbound access to internet.

1) What is the counterpart in GCP

2) I am trying to develop custodian based control to remediate the event of internet gateway creation. In AWS we have something like 'CreateInternetGateWay',

Do we have similar event in GCP.

Thank you,

Sujeet

--
© 2018 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 

Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-discussion@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.

---
You received this message because you are subscribed to the Google Groups "gce-discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to gce-discussion+unsubscribe@googlegroups.com.

[Sujeet Gupta]

Thank you so much Marcel !!

My use case is very simple as below:

As soon as any GCP compute engine instance is created, we want to capture the event. Based on event if the instance has access to internet gateway (access to inbound/outbound internet traffic), we want to terminate/stop the instance.

Looking forward for your reply!!

Thank you,

Sujeet

Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-dis...@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.

---
You received this message because you are subscribed to the Google Groups "gce-discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to gce-discussio...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/023ff8ac-8e27-4227-ac6f-3f4316e95b58%40googlegroups.com.

--

© 2018 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 

Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-dis...@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.

---
You received this message because you are subscribed to the Google Groups "gce-discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to gce-discussio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/16e0588e-3d47-45d7-9e9f-251a36efeb67%40googlegroups.com.

[Gautham (Google Cloud Support)]

Hi,

To view the Compute Engine Instance creation, you can view in the activity tab which will be right beside the dashboard tab in the GCP console  and you can also view from Stackdriver logging by going to Stackdriver->Logging->Log viewer. Could you please clarify and elaborate on the event you are referring to? 

On Tuesday, January 7, 2020 at 5:44:19 PM UTC-5, Sujeet Gupta wrote:

Thank you so much Marcel !!

My use case is very simple as below:

As soon as any GCP compute engine instance is created, we want to capture the event. Based on event if the instance has access to internet gateway (access to inbound/outbound internet traffic), we want to terminate/stop the instance.

Looking forward for your reply!!

Thank you,

Sujeet

Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-discussion@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.

---
You received this message because you are subscribed to the Google Groups "gce-discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to gce-discussion+unsubscribe@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/023ff8ac-8e27-4227-ac6f-3f4316e95b58%40googlegroups.com.

--
© 2018 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 

Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-discussion@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.

---
You received this message because you are subscribed to the Google Groups "gce-discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to gce-discussion+unsubscribe@googlegroups.com.

[Mary Koes]

Hi all,

I'm a product manager for logging. We automatically capture events for create/update/delete events via Admin Activity Audit logs. We have users who push "new instance created" audit logs to PubSub using a log sink and then process with Cloud Functions to check attributes and take action using the compute APIs. 

This qwiklab has the specific example of creating the filter to alert on these entries (jump to "Create alerting policy for the VM creation metric"). In order to take action via a Cloud Function, you'd want to use the same filter but a Log Sink to send the logs to PubSub instead. It's useful to know that Log Sinks can also be set at the org level to cover everything in your organization using Aggregated Exports.

Hope that helps,

Mary

On Tue, Jan 7, 2020 at 8:04 PM 'Gautham (Google Cloud Support)' via gce-discussion <gce-dis...@googlegroups.com> wrote:

Hi,

To view the Compute Engine Instance creation, you can view in the activity tab which will be right beside the dashboard tab in the GCP console  and you can also view from Stackdriver logging by going to Stackdriver->Logging->Log viewer. Could you please clarify and elaborate on the event you are referring to? 

On Tuesday, January 7, 2020 at 5:44:19 PM UTC-5, Sujeet Gupta wrote:

Thank you so much Marcel !!

My use case is very simple as below:

As soon as any GCP compute engine instance is created, we want to capture the event. Based on event if the instance has access to internet gateway (access to inbound/outbound internet traffic), we want to terminate/stop the instance.

Looking forward for your reply!!

Thank you,

Sujeet

Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-dis...@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.

---
You received this message because you are subscribed to the Google Groups "gce-discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to gce-discussio...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/023ff8ac-8e27-4227-ac6f-3f4316e95b58%40googlegroups.com.

--
© 2018 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 

Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-dis...@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.

---
You received this message because you are subscribed to the Google Groups "gce-discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to gce-discussio...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/16e0588e-3d47-45d7-9e9f-251a36efeb67%40googlegroups.com.

--

© 2018 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 

Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-dis...@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.

---
You received this message because you are subscribed to the Google Groups "gce-discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to gce-discussio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/0e93cdf1-b451-4a61-a8d1-9730871b8dd5%40googlegroups.com.

[Sujeet Gupta]

My requirement is to delete the route with next_hop as default_internet_gateway.

I can delete a route by below command

gcloud compute routes delete route_name

I can also get list of route : gcloud compute routes list

but how can I get a route_name from the list of route having next_hop as 'default_internet_gateway'

Thank you,

Sujeet

On Monday, January 6, 2020 at 1:44:45 PM UTC-8, Sujeet Gupta wrote:

[Dattu Pragnu Nellutla]

To get a route_name from the list of route having next_hop as 'default_internet_gateway' please use the following command.

gcloud compute routes list | grep default-internet-gateway

https://cloud.google.com/sdk/gcloud/reference/compute/routes/list

[Sujeet Gupta]

Hi Mary

I am creating route and trying to process the event in Cloud Function. I am constantly getting json parsing error as below. Looking forward for your quick response on it.

Traceback (most recent call last): File "/env/local/lib/python3.7/site-packages/google/cloud/functions/worker.py", line 383, in run_background_function _function_handler.invoke_user_function(event_object) File "/env/local/lib/python3.7/site-packages/google/cloud/functions/worker.py", line 217, in invoke_user_function return call_user_function(request_or_event) File "/env/local/lib/python3.7/site-packages/google/cloud/functions/worker.py", line 214, in call_user_function event_context.Context(**request_or_event.context)) File "/user_code/main.py", line 17, in run event = json.loads(base64.b64decode(event['data']).decode('utf-8')) UnicodeDecodeError: 'utf-8' codec can't decode byte 0x9c in position 1: invalid start byte

payload:

Event: {'insertId': '-naoi1tdc862', 'logName': 'projects/bold-hallway-258919/logs/cloudaudit.googleapis.com%2Factivity', 'operation': {'id': 'operation-1578614395820-59bbdce4cdb98-efcc6fb2-cd3fdc8c', 'last': True, 'producer': 'compute.googleapis.com'}, 'protoPayload': {'@type': 'type.googleapis.com/google.cloud.audit.AuditLog', 'authenticationInfo': {'principalEmail': 'xxx.x@gmail.com'}, 'methodName': 'v1.compute.routes.insert', 'request': {'@type': 'type.googleapis.com/compute.routes.insert'}, 'requestMetadata': {'callerIp': '', 'callerSuppliedUserAgent': 'google-cloud-sdk gcloud/273.0.0 command/gcloud.compute.routes.create invocation-id/f794c079d1a64dd69f017bcb58b06f5d environment/None environment-version/None interactive/True from-script/False python/2.7.10 term/xterm-256color (Macintosh; Intel Mac OS X 18.7.0),gzip(gfe)'}, 'resourceName': 'projects/bold-hallway-258919/global/routes/myroutetencommandline', 'serviceName': 'compute.googleapis.com'}, 'receiveTimestamp': '2020-01-10T00:00:00.383651222Z', 'resource': {'labels': {'project_id': 'bold-hallway-258919', 'route_id': '123658669026574483'}, 'type': 'gce_route'}, 'severity': 'NOTICE', 'timestamp': '2020-01-09T23:59:59.675Z'}

Thank you,

Sujeet

4252864465

--

© 2018 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 
Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-dis...@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.
---
You received this message because you are subscribed to the Google Groups "gce-discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gce-discussio...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/05b08af6-e54d-4467-9e57-da01bf2184fc%40googlegroups.com.

[Shawn Wu]

It is clearly indicated that UnicodeDecodeError. It normally happens when decoding an str string from a certain coding[1].  I suspect the issue exists in your codes. Please note that we do not support specific code issues. You can refer to Stackoverflow[2]  for further investigation in the application codes. 

[1]  https://wiki.python.org/moin/UnicodeDecodeError

[2] https://stackoverflow.com/

On Thursday, January 9, 2020 at 7:48:35 PM UTC-5, Sujeet Gupta wrote:

Hi Mary

I am creating route and trying to process the event in Cloud Function. I am constantly getting json parsing error as below. Looking forward for your quick response on it.

Traceback (most recent call last): File "/env/local/lib/python3.7/site-packages/google/cloud/functions/worker.py", line 383, in run_background_function _function_handler.invoke_user_function(event_object) File "/env/local/lib/python3.7/site-packages/google/cloud/functions/worker.py", line 217, in invoke_user_function return call_user_function(request_or_event) File "/env/local/lib/python3.7/site-packages/google/cloud/functions/worker.py", line 214, in call_user_function event_context.Context(**request_or_event.context)) File "/user_code/main.py", line 17, in run event = json.loads(base64.b64decode(event['data']).decode('utf-8')) UnicodeDecodeError: 'utf-8' codec can't decode byte 0x9c in position 1: invalid start byte

payload:

Event: {'insertId': '-naoi1tdc862', 'logName': 'projects/bold-hallway-258919/logs/cloudaudit.googleapis.com%2Factivity', 'operation': {'id': 'operation-1578614395820-59bbdce4cdb98-efcc6fb2-cd3fdc8c', 'last': True, 'producer': 'compute.googleapis.com'}, 'protoPayload': {'@type': 'type.googleapis.com/google.cloud.audit.AuditLog', 'authenticationInfo': {'principalEmail': 'xxx.x...@gmail.com'}, 'methodName': 'v1.compute.routes.insert', 'request': {'@type': 'type.googleapis.com/compute.routes.insert'}, 'requestMetadata': {'callerIp': '', 'callerSuppliedUserAgent': 'google-cloud-sdk gcloud/273.0.0 command/gcloud.compute.routes.create invocation-id/f794c079d1a64dd69f017bcb58b06f5d environment/None environment-version/None interactive/True from-script/False python/2.7.10 term/xterm-256color (Macintosh; Intel Mac OS X 18.7.0),gzip(gfe)'}, 'resourceName': 'projects/bold-hallway-258919/global/routes/myroutetencommandline', 'serviceName': 'compute.googleapis.com'}, 'receiveTimestamp': '2020-01-10T00:00:00.383651222Z', 'resource': {'labels': {'project_id': 'bold-hallway-258919', 'route_id': '123658669026574483'}, 'type': 'gce_route'}, 'severity': 'NOTICE', 'timestamp': '2020-01-09T23:59:59.675Z'}

Thank you,

Sujeet

4252864465

To unsubscribe from this group and stop receiving emails from it, send an email to gce-dis...@googlegroups.com.

[Sujeet Gupta]

I hope you looked into exception trace. It clearly shows that file throwing exception is google worker.py

Also I have not written a single line of code and I am just deploying cloud custodian policy

To unsubscribe from this group and stop receiving emails from it, send an email to gce-discussio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/e7dd9388-6e0a-4009-b2d9-d6190e4f62a4%40googlegroups.com.

[Ilia Borovoi]

The main purpose of Cloud Function is to run custom scripts and codes that you created. Here is more information about Cloud Function capability: [https://cloud.google.com/functions/]

Can you please let us know what specifically you're doing with Cloud Function and what kind of code are you running(please sanitize it if needed)?

To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/e7dd9388-6e0a-4009-b2d9-d6190e4f62a4%40googlegroups.com.