GCP open firewall only to cloud shell

Google does not publish the public IP address range for Cloud Shell.

VPC firewall rules allow specifying the service account of the source and target. However, Cloud Shell does not use a service account. Cloud Shell uses the identity of the person logged into the Google Cloud Console. This means OAuth 2 User Credentials. User Credentials are not supported for VPC Firewall rules.

My recommendation is to use TCP forwarding and tunnel SSH through IAP (Identity Aware Proxy). Google makes this easy in the Cloud SDK CLI.

Open a Cloud Shell in the Google Cloud Console. Then run this command:

gcloud compute ssh NAME_OF_VM_INSTANCE --tunnel-through-iap

This also works for VM instances that do not have public IP addresses.

The Identity Aware Proxy CIDR netblock is 35.235.240.0/20. Create a VPC Firewall rule that allows SSH traffic from this block. This rule will prevent public SSH traffic and only allow authorized traffic thru Identity Aware Proxy.

Google has published the detailed info in this article - Configuring secure remote access for Compute Engine VMs

---

From the admin console, click Security then select Identity-Aware Proxy.

If you haven’t used Cloud IAP before, you’ll need to configure the oAuth screen:

Configure the consent screen to only allow internal users in your domain, and click Save.

Next, you need to define users who are allowed to use Cloud IAP to connect remotely. Add a user to the “IAP-secured Tunnel User” role on the resource you’d like to connect to.

Then, connect to the machine via the ssh button in the web UI or gcloud.

When using the web UI, notice the URL parameter useAdminProxy=true.

Tip: If you don’t have gcloud installed locally, you can also use Cloud Shell:

gcloud beta compute ssh {VM-NAME}  --tunnel-through-iap

You should now be connected! You can verify that you don’t have internet connectivity by attempting to ping out. 8.8.8.8 (Google’s Honest DNS) is a good address to try this with.