Access to Cloud console through a VPN

Hello,

I want only specific IPs be able to access my GCP to improve security. We already parametered the IPs to be allowed in GCP and now we want that GCP traffic go through our VPN in order to have the specific IP allowed.

On our computers, only a part of our traffic is supposed to go through our VPN. We parametered it so that admin.google.com and console.cloud.google.com will go through our VPN and so far we see some traffic to these 2 urls going through the VPN as intended.

However we can’t access everything in GCP there are still some blockage. And when we checks the logs and look at our source IP address, our personal IP is shown, not the one from the VPN (which works perfectly well for other similar use cases).

I suspect that there are more urls to make go through VPN (in addition to admin.google.com and console.cloud.google.com) but I can’t find which ones on GCP doc.

Did someone had the same issue ? Do you know which URLs could be needed to solve it ?

Thx for your help

Are you talking about accessing resources running in GCP or about accessing GCP APIs and services? What’s the point of pushing traffic to console.cloud.google.com via VPN??

The aim is to access GCP APIs and services, for admins mostly.
The use of VPN was to be able to give a specific IP and only these specific IPs would be able to access it.

But this would restrict only traffic coming from devices which are managed by you, right? So a ‘non-admin’ could just use their credentials to log in from another (personal) device?

In fact our projects are only accessible from a specific set of IP. So anyone would need both credentials and the correct IP to reach them.

But it seems that I need to whitelsit additionals url, and there is no way to find which