# Build and Secure Networks in Google Cloud **Securing Virtual Machines using BeyondCorp Enterprise (BCE)** :::success **Insight** 1. Enable IAP TCP forwarding in your Google Cloud project 2. Create Linux and Windows Instances 3. Configure the required firewall rules for BCE 4. Grant permissions to use IAP TCP forwarding 5. Use IAP Desktop to Connect to the Windows and Linux Instances 6. Demonstrate tunneling using SSH and RDP connections ::: --- **Multiple VPC Networks** :::success **Insight** 1. Create custom mode VPC networks with firewall rules 2. Create VM instances 3. Explore the connectivity between VM instances 4. Create a VM instance with multiple network interfaces ::: --- **VPC Networks - Controlling Access** :::success **Insight** 1. Create the web servers 2. Create the firewall rule 3. Explore the Network and Security Admin roles ::: --- **HTTP Load Balancer with Cloud Armor** :::success **Insight** 1. Configure HTTP and health check firewall rules 2. Configure instance templates and create instance groups 3. Configure the HTTP Load Balancer 4. Test the HTTP Load Balancer 5. Denylist the siege-vm ::: * Which of these fields identify the region of the backend? Server Location * The HTTP load balancer should forward traffic to the region that is closest to you. True --- **Create an Internal Load Balancer** :::success **Insight** 1. Configure HTTP and health check firewall rules 2. Configure instance templates and create instance groups 3. Configure the Internal Load Balancer 4. Test the Internal Load Balancer ::: * Which of these fields identify the location of the backend? Server Hostname, Server Location --- **Build and Secure Networks in Google Cloud: Challenge Lab** <!-- [Challenge Lab](https://medium.com/@prithishghosh/build-and-secure-networks-in-google-cloud-challenge-lab-afb8436b0179) --> > Detailed Tutorial of Task — 1 ``` gcloud compute firewall-rules delete open-access ``` And type "Y" > Detailed Tutorial of Task — 2 ``` gcloud compute instances start bastion ``` And type "n" Output: No zone specified. Using zone [us-east4-c] for instance: [bastion] > Detailed Tutorial of Task — 3 ``` gcloud compute firewall-rules create ssh-ingress --allow=tcp:22 --source-ranges 35.235.240.0/20 --target-tags grant-ssh-iap-ingress-ql-457 --network acme-vpc ``` ``` gcloud compute instances add-tags bastion --tags=grant-ssh-iap-ingress-ql-457 --zone=us-east4-c ``` > Detailed Tutorial of Task — 4 ``` gcloud compute firewall-rules create http-ingress --allow=tcp:80 --source-ranges 0.0.0.0/0 --target-tags grant-http-ingress-ql-457 --network acme-vpc ``` ``` gcloud compute instances add-tags juice-shop --tags=grant-http-ingress-ql-457 --zone=us-east4-c ``` > Detailed Tutorial of Task — 5 ``` gcloud compute firewall-rules create internal-ssh-ingress --allow=tcp:22 --source-ranges 192.168.10.0/24 --target-tags grant-ssh-internal-ingress-ql-457 --network acme-vpc ``` ``` gcloud compute instances add-tags juice-shop --tags=grant-ssh-internal-ingress-ql-457 --zone=us-east4-c ``` > Detailed Tutorial of Task — 6 In the Compute Engine instances page, click the SSH button for the bastion host. Once connected, SSH to `juice-shop`. ``` ssh [Internal IP address of juice-shop] ```