How can I set firewall rule to allow ssh to a instance from Google Cloud console only

Question

I could allow the IP of Bastian host but how do I allow IP of Google Cloud Console in firewall rule?

Answer 1

1. If you use Default network configuration, Compute Engine creates firewall rules that allows TCP connections through port 22 for you. You can see them in the GCP Console:

GCP Console => VPC network => Firewall rules

The Default network has preconfigured firewall rules that allow all instances in the network to talk with each other. In particular, these firewall rules allow ICMP, RDP, and SSH ingress traffic from anywhere (0.0.0.0/0). There should be an Ingress firewall rule for SSH: default-allow-ssh.

2. If you use Custom network, firewall rule for SSH should be created manually.

With Cloud Console

GCP Console => VPC network => Firewall rules => Create Firewall Rule 
    Name:   mynet-allow-ssh
    Network:    mynet
    Targets:    All instances in the network
    Source filter:  IP Ranges
    Source IP ranges:   0.0.0.0/0 
    Protocols and ports:    Specified protocols and ports
        tcp: ports 22 

With command line

$ gcloud compute --project=myproject firewall-rules create mynet-allow-ssh --direction=INGRESS --priority=1000 --network=mynet --action=ALLOW --rules=tcp:22 --source-ranges=0.0.0.0/0

For more details see Compute Engine => Documentation => Connecting to instances

Speaking about whitelisting of an "IP of Google Cloud Console" for the case when you press the "SSH" button in the Cloud Console, this is rather unfeasible because SSH connection is established over HTTPS via a relay server that could have an unpredictable address from the Google's external pool of IPs. Use of a Bastion host with a single static IP is more rational from this perspective.