Time: 1 hour
Difficulty: Intermediate
Price: 5 Credits
Quest: Cloud Architecture: Design, Implement, and Manage
Last updated: Sep 7, 2023
Your company has decided to deploy new application services in the cloud and your assignment is developing a secure framework for managing the Windows services that will be deployed. You will need to create a new VPC network environment for the secure production Windows servers.
Production servers must initially be completely isolated from external networks and cannot be directly accessed from, or be able to connect directly to, the internet. In order to configure and manage your first server in this environment, you will also need to deploy a bastion host, or jump box, that can be accessed from the internet using the Microsoft Remote Desktop Protocol (RDP). The bastion host should only be accessible via RDP from the internet, and should only be able to communicate with the other compute instances inside the VPC network using RDP.
Your company also has a monitoring system running from the default VPC network, so all compute instances must have a second network interface with an internal only connection to the default VPC network.
Deploy the secure Windows machine that is not configured for external communication inside a new VPC subnet, then deploy the Microsoft Internet Information Server on that secure machine.
-
Create a new VPC network called
securenetwork
Go to cloud shell and run the following command:
gcloud compute networks create securenetwork --project=$DEVSHELL_PROJECT_ID --subnet-mode=custom --mtu=1460 --bgp-routing-mode=regional
-
Then create a new VPC subnet inside
securenetwork
gcloud compute networks subnets create secure-subnet --project=$DEVSHELL_PROJECT_ID --range=10.0.0.0/24 --stack-type=IPV4_ONLY --network=securenetwork --region=us-central1
-
Once the network and subnet have been configured, configure a firewall rule that allows inbound RDP traffic (
TCP port 3389
) from the internet to the bastion host. This rule should be applied to the appropriate host using network tags.gcloud compute --project=$DEVSHELL_PROJECT_ID firewall-rules create secuer-firewall --direction=INGRESS --priority=1000 --network=securenetwork --action=ALLOW --rules=tcp:3389 --source-ranges=0.0.0.0/0 --target-tags=rdp
-
Deploy a Windows 2016 server instance called
vm-securehost
with two network interfaces. -
Configure the first network interface with an internal only connection to the new VPC subnet, and the second network interface with an internal only connection to the default VPC network. This is the secure server.
gcloud compute instances create vm-securehost --project=$DEVSHELL_PROJECT_ID --zone=us-central1-a --machine-type=n1-standard-2 --network-interface=stack-type=IPV4_ONLY,subnet=secure-subnet,no-address --network-interface=stack-type=IPV4_ONLY,subnet=default,no-address --metadata=enable-oslogin=true --maintenance-policy=MIGRATE --provisioning-model=STANDARD --tags=rdp --create-disk=auto-delete=yes,boot=yes,device-name=vm-securehost,image=projects/windows-cloud/global/images/windows-server-2016-dc-v20230510,mode=rw,size=150,type=projects/$DEVSHELL_PROJECT_ID/zones/us-central1-a/diskTypes/pd-standard --no-shielded-secure-boot --shielded-vtpm --shielded-integrity-monitoring --labels=goog-ec-src=vm_add-gcloud --reservation-affinity=any
-
Install a second Windows 2016 server instance called
vm-bastionhost
with two network interfaces. -
Configure the first network interface to connect to the new VPC subnet with an ephemeral public (external NAT) address, and the second network interface with an internal only connection to the default VPC network. This is the jump box or bastion host.
gcloud compute instances create vm-bastionhost --project=$DEVSHELL_PROJECT_ID --zone=us-central1-a --machine-type=n1-standard-2 --network-interface=network-tier=PREMIUM,stack-type=IPV4_ONLY,subnet=secure-subnet --network-interface=network-tier=PREMIUM,stack-type=IPV4_ONLY,subnet=default --metadata=enable-oslogin=true --maintenance-policy=MIGRATE --provisioning-model=STANDARD --tags=rdp --create-disk=auto-delete=yes,boot=yes,device-name=vm-securehost,image=projects/windows-cloud/global/images/windows-server-2016-dc-v20230510,mode=rw,size=150,type=projects/$DEVSHELL_PROJECT_ID/zones/us-central1-a/diskTypes/pd-standard --no-shielded-secure-boot --shielded-vtpm --shielded-integrity-monitoring --labels=goog-ec-src=vm_add-gcloud --reservation-affinity=any
-
After your Windows instances have been created, create a user account and reset the Windows passwords in order to connect to each instance.
-
The following
gcloud
command creates a new user calledapp-admin
and resets the password for a host calledvm-bastionhost
andvm-securehost
located in theus-central1-a
region:gcloud compute reset-windows-password vm-bastionhost --user app_admin --zone us-central1-a
Note: Take note of the password that is generated for the user account. You will need this to connect to the bastion host.
gcloud compute reset-windows-password vm-securehost --user app_admin --zone us-central1-a
Note: Take note of the password that is generated for the user account. You will need this to connect to the secure host.
-
Alternatively, you can force a password reset from the Compute Engine console. You will have to repeat this for the second host as the login credentials for that instance will be different.
To connect to the secure host, you have to RDP into the bastion host first, and from there open a second RDP session to connect to the internal private network address of the secure host. A Windows Compute Instance with an external address can be connected to via RDP using the RDP button that appears next to Windows Compute instances in the Compute Instance summary page.
-
Connect to the bastion host using the RDP button in the Compute Engine console.
You can install Chrome RDP extension for Google Cloud Platform
-
Go to Compute Engine > VM instances, click RDP on
vm-bastionhost
, fill username with app_admin and password with your copiedvm-bastionhost
's password.When connected to a Windows server, you can launch the Microsoft RDP client using the command
mstsc.exe
, or you can search forRemote Desktop Manager
from the Start menu. This will allow you to connect from the bastion host to other compute instances on the same VPC even if those instances do not have a direct internet connection themselves. -
Click Search, search for Remote Desktop Connection and run it
-
Copy and paste the internal ip from
vm-securehost
, click Connect -
Fill username with app_admin and password with your copied
vm-securehost
's password -
Click Search, type Powershell, right click and Run as Administrator
-
Run the following command to install IIS (Internet Information Server) :
Install-WindowsFeature -name Web-Server -IncludeManagementTools