Removing Panorama public IP; adding GCP IAP connection info to the ex…

…ample readme

examples/panorama_standalone/README.md

@@ -62,7 +62,9 @@ panorama_public_ips = {
 
 ## Post build
 
-Connect to the panorama instance(s) via SSH using your associated private key and set a password :
+### Connect to Panorama directly via SSH
+
+Connect to the Panorama instance(s) via SSH using your associated private key and set a password:
 
 ```
 ssh [email protected] -i /PATH/TO/YOUR/KEY/id_rsa
@@ -79,10 +81,48 @@ admin@Panorama# commit
 Configuration committed successfully
 ```
 
-## Check access via web UI
+#### Check access via web UI
 
 Use a web browser to access https://x.x.x.x and login with admin and your previously configured password
 
+### Connect to Panorama via GCP IAP
+
+>**Note**: This connection method is required when Panorama doesn't have a public IP address attached to the network interface and there is no IP connectivity from the management workstation to the Panorama's private IP address.
+
+>**Note**: First time access provisioning takes some time. Please run the following command once again if it gets stuck while connecting.
+
+```
+gcloud compute ssh --zone "<ZONE>" "admin@<PANORAMA_VM_INSTANCE_NAME>" --tunnel-through-iap --project "<PROJECT_ID>" -- -i /PATH/TO/YOUR/KEY/id_rsa
+
+
+To increase the performance of the tunnel, consider installing NumPy. For instructions,
+please see https://cloud.google.com/iap/docs/using-tcp-forwarding#increasing_the_tcp_upload_bandwidth
+
+Welcome admin.
+admin@Panorama> configure
+Entering configuration mode
+[edit]                                                                                                                                                                                  
+admin@Panorama# set mgt-config users admin password
+Enter password   : 
+Confirm password : 
+
+[edit]                                                                                                                                                                                  
+admin@Panorama# commit
+Configuration committed successfully
+```
+
+#### Check access via web UI
+
+Start IAP TCP forwarding:
+
+```
+gcloud compute start-iap-tunnel <PANORAMA_VM_INSTANCE_NAME> 443 --local-host-port=localhost:4443 --zone=<ZONE> --project <PROJECT_ID>
+```
+
+Use a web browser to access https://localhost:4443 and login with admin and your previously configured password.
+
+>**Note**: Because IAP TCP forwarding is using multiple source IP addresses, you might see a connection reset right after successful Panorama login. In that case, reestablish IAP TCP forwarding and try logging in again.
+
 ## Reference
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ### Requirements

examples/panorama_standalone/example.tfvars

@@ -22,12 +22,19 @@ networks = {
     }
     firewall_rules = {
       "allow-panorama-ingress" = {
-        name             = "panorama-mgmt"
-        source_ranges    = ["1.1.1.1/32", "2.2.2.2/32"]
+        name             = "allow-panorama-ingress"
+        source_ranges    = ["172.21.21.0/24"] # Set your own management source IP range. 
         priority         = "1000"
         allowed_protocol = "all"
         allowed_ports    = []
       }
+      "allow-cloudiap-ingress" = {
+        name             = "allow-cloudiap-ingress"
+        source_ranges    = ["35.235.240.0/20"] # 35.235.240.0/20 corresponds to Cloud IAP. 
+        priority         = "1000"
+        allowed_protocol = "tcp"
+        allowed_ports    = [22, 443]
+      }
     }
   }
 }
@@ -42,7 +49,7 @@ panoramas = {
     subnetwork_key    = "panorama-sub"
     panorama_version  = "panorama-byol-1000"
     ssh_keys          = "admin:<ssh-rsa AAAA...>"
-    attach_public_ip  = true
+    attach_public_ip  = false
     private_static_ip = "172.21.21.2"
   }
 }

modules/panorama/main.tf

@@ -50,6 +50,7 @@ resource "google_compute_instance" "this" {
   metadata = merge({
     serial-port-enable = true
     ssh-keys           = var.ssh_keys
+    enable-oslogin     = false
   }, var.metadata)
 
   service_account {