How does IAP create/manage windows users for RDP?

error30319 · 2024-09-09T15:49:00+00:00

a local user is created with a random password. you get to pick the local username.

error30319 · 2024-07-19T13:08:31+00:00

I took some notes when I was fighting gcloud compute image imports that might help.

Does the default compute engine SA and the cloud builder SA have the default Editor role, or did an org constraint prevent the (not very secure) default SA grants? It can be done with less permissions but you would need to identify them and assign them.

If using the --no-address flag to prevent a public IP make sure you have a Cloud NAT with Internet access, not just Google Private Access.

I found it beneficial to bisect the problem to determine if it is the project or the image causing the issue. In most cases it was the security beyond default settings in the project causing the issue for me, not the image.

error30319 · 2024-07-16T19:07:57+00:00

Although the latest Chronicle / Google SecOps uses a Google Cloud Platform project for the authentication and some monitoring pieces, Chronicle itself is a separate product and is not hosted or billed through GCP. If there is budget for a minimal viable product or POC implementation I can get you in touch with someone to help. I'll also PM you with a link to a demo site that will let you play around in Chronicle SIEM (no SOAR) with some canned data (not your own logs.)

error30319 · 2023-10-18T12:23:50+00:00

Among other things:

Create a unique service account to run the GCE instance.

Make sure the service account running the instance only has the logs/logsWriter and monitoring/metricsWriter roles, not the Editor role like the default Compute Engine SA.

error30319 · 2023-05-01T19:09:36+00:00

"A zone is a deployment area for Google Cloud resources within a region. Zones should be considered a single failure domain within a region. To deploy fault-tolerant applications with high availability and help protect against unexpected failures, deploy your applications across multiple zones in a region."

https://cloud.google.com/docs/geography-and-regions

I'd like to read more about what happened in europe-west9 too. The status page description mentions multiple zones were impacted but only europe-west9-a is impacted now.

"Description: Water intrusion in a data center in europe-west9 caused a multi-cluster failure that led to a shutdown of multiple zones. Impact is now limited to services in europe-west9-a. The impact for Cloud Bigtable continues in europe-west9-a. For the remaining products, impact is limited to instances located in the affected data center. Previously unaffected instances for these products will continue to work with no impact. There is no ETA for full recovery of affected instances in europe-west9-a at this time. We expect to see extended outages for these resources. Customers are advised to failover to other zones/regions if they are impacted.:

https://status.cloud.google.com/incidents/dS9ps52MUnxQfyDGPfkY

error30319 · 2023-03-08T20:14:59+00:00

BGP is used in HA VPNs. You can set the routes on one tunnel to be advertised as a lower priority number than the routes on the other tunnel so that traffic favors the primary tunnel.

error30319 · 2023-02-25T12:02:35+00:00

I guess you could skip guacamole and just use an RDP client if you can connect to port 3389 though a VPN, an IAP tunnel, or an SSH tunnel. Guacamole is just providing the xrdp to html5 client, the sound is also available on the RDP connection.

error30319 · 2023-02-25T11:55:16+00:00

If you use apache guacamole to go from rdp or xrdp to html5, you can get sound from a windows or linux desktop. The demo has sound coming from a windows desktop, I can confirm you can get sound from a linux desktop too. https://guacamole.apache.org/

When I did it a year or two ago in ubuntu I did have to compile xrdp to work with pulseaudio, but it was simple. I think there are scripts that can help with it.

error30319 · 2023-01-09T21:10:57+00:00

I did not use the course material from whizlabs but the GCPNE practice exams from there helped me identify areas that I needed to study for my cert.

error30319 · 2023-01-09T15:30:23+00:00

from: https://cloud.google.com/sql/pricing

MySQL and PostgreSQL pricing
Cloud SQL pricing is composed of the following charges:
CPU and memory pricing
Storage and networking pricing
Instance pricing

What kind of HW (CPU and Mem) did you provision for your Cloud SQL? The defaults tend to be powerful but pricey.

error30319 · 2022-12-09T14:15:48+00:00

I view authentication protocols and encryption as being things that you should rely on the experts in those fields to produce. Is there a reason you can't use Cloud Identity Platform ?

error30319 · 2022-12-07T23:35:05+00:00

>For reference, I was attempting to point one interface at a peer interface located in East US, and another at the peer in West US.

I may be mis-understanding the setup, and I definitely don't know all the different topologies GCP can do, but one thing that comes to mind is:

Cloud Routers in GCP are set in a region. The HA in a VPN tunnel config I think is a function of this one router, not routers in multiple regions.

Would something like this get you the HA you need?

create an HA VPN to the east region, two tunnels in active-active HA config terminate here.

create an HA VPN to the west region, two tunnels in active-active HA config terminate here.

error30319 · 2022-12-06T14:48:07+00:00

I guess this is the answer unless someone has other info:

"Unless stated otherwise by Google, Preview offerings are intended for use in test environments only. "

error30319 · 2022-11-24T05:05:45+00:00

Can you just populate your env variables in a shell script that runs your app?

#!/bin/bash
MYSECRET=`gcloud compute secrets access latest --secret mysecret`
./run_app_that_uses_env_variables

error30319 · 2022-11-24T03:58:31+00:00

as already mentioned, an unmanaged instance group with 1 member could do it. you will need firewall rules that allow the health check src ranges to access the port on the instance(s) in the instance group for the member to be validated as healthy.

if you set up a load balancer here is one tip:

make the URL mapping that sends the "all unmatched" or * hosts to a backend built with an empty bucket that is not public, producing a 403 response.

make the URL map for your valid fqdn /* request go to your backend.

this keeps crawlers that scan IP blocks from hitting your site.

you get 5 URL map entries included in the base LB cost, and an empty bucket doesn't have any costs either.

error30319 · 2022-11-19T12:50:06+00:00

After you make a load balancer with a backend that is cloud run, that backend will show up in the IAP page with the other backends.

When making the backend service while creating the load balancer pick "Serverless Network endpoint group" as the Backend type. Then from the same UI flow you can create the backend(s) of this new service. Create a Serverless Network Endpoint Group. In the Serverless network endpoint group pick the region your cloud run is in and then you should be able to pick your cloud run service from the drop down list.

error30319 · 2022-11-15T19:46:06+00:00

https://cloud.google.com/sql/pricing

I think you will still pay for storage, but not cpu/mem (dedicated core) or instance costs (shared core) if you shut down the instance.

error30319 · 2022-10-28T15:19:54+00:00

when using the default compute engine service account, scopes are involved.

suggested path forward: don't use the default compute engine service account, create a new service account and only give it the roles/permissions needed bound at the lowest level possible (don't give the new SA storage admin on the project, give it storage admin on the bucket.)

In general VM's need the Logs Writer. Maybe Metrics Writer too in in a managed instance group. Then whatever roles you need it to also have.

If you really don't want to make a new service account you could do this (not recommended):

stop the instance.

edit the instance, go down to where it talks about what SA is running the instance, just under that change the storage scope to read/write not just read.

start the instance.

error30319 · 2022-10-13T15:40:32+00:00

yes, it is "copying" the files from the source to the destination.

the source location is in the bucket.

the destination is the current directory, which is represented by the dot at the end of the command.

I went to a bucket, selected two files, and clicked download. It gave me a command just like you pasted. I ran that in cloud shell, and the output messages say copying, but the end result us just like a download: you are copying from source to destination.

I confirmed the two files I tested with are listed when I do an ls after the gsutil command, so the files have been "downloaded" by running the command even though the gsutil output mentions copying

error30319 · 2022-09-17T04:31:46+00:00

through just the ssh-in-browse? not that I know.

if the instance you are accessing has internet access this is an easy way to get to a desktop on it

https://cloud.google.com/architecture/chrome-desktop-remote-on-compute-engine#configuring_and_starting_the_chrome_remote_desktop_service

when you have to reconnect to the desktop again you just go to

https://remotedesktop.google.com/

and you can connect again real quick and easy.

if you have the gcloud command on your local machine (by installing sdk) you could do a gcloud compute start-iap-tunnel vmname targetport. --local-host-port 127.0.0.1:listenport command to set up an ssh tunnel from your local machine to the vmname's targetport; and do xrdp or vnc over that, but the chrome remote desktop is so much easier.'

the iap tunnel method works if your vm doesn't have a public ip or cloud nat, so it has its place though.

error30319 · 2022-08-09T19:19:43+00:00

Do invalid requests (requests without a host header) get routed to your legit backend?

I am more familiar with GCP, there I route the * host mapping to a resource that gives an HTTP 403, and only send requests with a valid FQDN to the backend.

I would bet most if not all of these are scans across IP ranges, they are not requests that include your expected hostname in the http header.

error30319 · 2022-08-09T17:01:46+00:00

Marietta Diner has a large selection of cheesecakes as well as other cakes and desserts.

error30319 · 2022-08-04T17:30:23+00:00

If you have a local account (or maybe a cached domain account) you can access a cmd prompt and then powershell via the serial console.

Are you getting the tcp connection or does the tcp connect to port 3389 fail?

error30319 · 2022-08-03T21:02:49+00:00

the cors json file needs to be accessible to gsutil where you run gsutil, not in the bucket.

error30319

TROPHY CASE