{"id":573,"date":"2025-05-11T12:14:32","date_gmt":"2025-05-11T03:14:32","guid":{"rendered":"https:\/\/tako.nakano.net\/blog\/?p=573"},"modified":"2025-05-11T12:14:32","modified_gmt":"2025-05-11T03:14:32","slug":"vpn-and-bucket-ip-filtering","status":"publish","type":"post","link":"https:\/\/tako.nakano.net\/blog\/2025\/05\/vpn-and-bucket-ip-filtering\/","title":{"rendered":"VPN and Bucket IP Filtering"},"content":{"rendered":"

VPN \u3068 Bucket IP Filtering<\/h1>\n

English follows Japanese.<\/p>\n

\u672c\u8a18\u4e8b\u306e\u76ee\u7684<\/h2>\n

\u672c\u8a18\u4e8b\u306e\u76ee\u7684\u306f2\u3064\u3042\u308b\u3002<\/p>\n

\u526f\u6b21\u7684\u306a\u76ee\u7684\u306f\u30012\u30d7\u30ed\u30b8\u30a7\u30af\u30c8\u9593\u306e Cloud VPN \u306e\u69cb\u6210\u3092\u3001gcloud<\/code> \u30b3\u30de\u30f3\u30c9\u306e\u307f\u3067\u884c\u3046\u4f8b\u3092\u793a\u3059\u3053\u3068\u3067\u3042\u308b\u3002\u7c21\u5358\u306b\u691c\u7d22\u3057\u305f\u9650\u308a\u3067\u306f\u3001Google Cloud \u306e\u516c\u5f0f\u6587\u66f8\uff08\u305f\u3060\u3057\u3001\u540c\u4e00\u30d7\u30ed\u30b8\u30a7\u30af\u30c8\u5185\uff09\u4ee5\u5916\u306b\u3001Web UI \u3092\u4f7f\u3063\u305f\u69cb\u6210\u4f8b\u306f\u3042\u3063\u305f\u304c\u3001gcloud<\/code> \u30b3\u30de\u30f3\u30c9\u3092\u4f7f\u3063\u305f\u69cb\u6210\u4f8b\u306f\u898b\u3064\u304b\u3089\u306a\u304b\u3063\u305f\u3002<\/p>\n

\u3082\u3046\u3072\u3068\u3064\u306e\u76ee\u7684\u306f\u3001Cloud Storage \u306e\u65b0\u6a5f\u80fd\u3067\u3042\u308b Bucket IP Filtering \u3092\u3001VPN \u63a5\u7d9a\u306e\u63a5\u7d9a\u5148\u304b\u3089\u30a2\u30af\u30bb\u30b9\u3067\u304d\u308b\u304b\u691c\u8a3c\u3059\u308b\u3053\u3068\u3067\u3042\u308b\u3002<\/p>\n

\u7d50\u8ad6: VPN \u63a5\u7d9a\u306e\u63a5\u7d9a\u5148\u304b\u3089\u30a2\u30af\u30bb\u30b9\u3067\u304d\u308b\u3002\u3053\u308c\u306f\u3044\u3044\u3002<\/p>\n

\u672c\u8a18\u4e8b\u306f\u3001Google Cloud \u306e\u57fa\u672c\u7684\u306a VPC, IAM, Cloud Storage \u306e\u77e5\u8b58\u304c\u3042\u308b\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u30a8\u30f3\u30b8\u30cb\u30a2\u3084\u30af\u30e9\u30a6\u30c9\u30a2\u30fc\u30ad\u30c6\u30af\u30c8\u3092\u5bfe\u8c61\u3068\u3057\u3066\u3044\u308b\u3002<\/p>\n

2\u30d7\u30ed\u30b8\u30a7\u30af\u30c8\u9593\u306e VPN \u306b\u3064\u3044\u3066\u306f\u3001Google Cloud \u306e\u516c\u5f0f\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\u4ee5\u5916\u306e\u60c5\u5831\u304c\u898b\u3064\u304b\u3089\u306a\u304b\u3063\u305f\u305f\u3081\u3001gcloud<\/code> \u30b3\u30de\u30f3\u30c9\u3092\u4f7f\u3063\u305f\u69cb\u6210\u4f8b\u3092\u793a\u3059\uff08\u5bfe\u5411\u304c\u3001\u30aa\u30f3\u30d7\u30ec\u30df\u30b9 \u30eb\u30fc\u30bf\u30fc\u306e\u4f8b\u306f\u3001\u5f53\u305f\u308a\u524d\u3060\u304c\u7d50\u69cb\u3042\u3063\u305f\uff09\u3002<\/p>\n

Bucket IP Filtering \u3068\u306f<\/h2>\n

Cloud Storage \u306e Bucket IP filtering \u6a5f\u80fd\u306f\u3001Cloud Storage \u306e\u30d0\u30b1\u30c3\u30c8\u306b\u5bfe\u3057\u3066\u3001\u7279\u5b9a\u306e IP \u30a2\u30c9\u30ec\u30b9\u7bc4\u56f2\u304b\u3089\u306e\u30a2\u30af\u30bb\u30b9\u306e\u307f\u3092\u8a31\u53ef\u3059\u308b\u3088\u3046\u306a\u3001\u30a2\u30af\u30bb\u30b9\u5236\u5fa1\u6a5f\u80fd\u3067\u3042\u308b\u30d0\u30b1\u30c3\u30c8 IP \u30d5\u30a3\u30eb\u30bf\u30ea\u30f3\u30b0<\/a>\u3002
\n2024-11-14\u306b Public Preview \u3068\u3057\u3066\u30ea\u30ea\u30fc\u30b9<\/a>\u3055\u308c\u3066\u3044\u308b\u3002<\/p>\n

VPN \u3067\u4f7f\u3048\u308b\uff1f<\/h2>\n

\u3042\u308b\u4f1a\u793e\u304c\u300c\u793e\u5185\u304b\u3089\u3057\u304b\u898b\u3089\u308c\u306a\u3044\u300d\u3088\u3046\u306a\u300c\u6c4e\u7528\u306e\u30d5\u30a1\u30a4\u30eb\u7f6e\u304d\u5834\u300d\u3092\u4f5c\u308a\u305f\u3044\u3068\u8003\u3048\u305f\u3068\u304d\u3001Cloud Storage \u306e Bucket IP filtering \u6a5f\u80fd\u304c\u5f79\u306b\u7acb\u3064\u304b\u3082\u3057\u308c\u306a\u3044\u3002<\/p>\n

Global IP \u3092 CIDR range \u3067\u6307\u5b9a\u3067\u304d\u308b\u305f\u3081\u3001\u5404\u62e0\u70b9\u306b\u56fa\u5b9a IP \u3092\u6301\u305f\u305b\u3066\u3044\u308b\u5834\u5408\u306b\u306f\u3001Cloud Storage \u306e Bucket IP filtering \u6a5f\u80fd\u3092\u4f7f\u3046\u3053\u3068\u3067\u3001\u7279\u5b9a\u306e\u62e0\u70b9\u304b\u3089\u306e\u30a2\u30af\u30bb\u30b9\u306e\u307f\u3092\u8a31\u53ef\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u308b\u3002<\/p>\n

  "publicNetworkSource": {\n    "allowedIpCidrRanges": [\n      "${YOUR_IP}\/32"\n    ],\n  }<\/code><\/pre>\n
\u3082\u3046\u3072\u3068\u3064\u3001\u826f\u304f\u3042\u308b Google Cloud \u306e\u5229\u7528\u306e\u4ed5\u65b9\u3068\u3057\u3066\u306f\u3001VPN \u306e\u69cb\u6210\u304c\u3042\u3052\u3089\u308c\u308b\u3060\u308d\u3046\u3002Cloud Storage \u30d0\u30b1\u30c3\u30c8\u304c\u3001VPN \u63a5\u7d9a\u306e\u63a5\u7d9a\u5148\u3060\u3051\u304b\u3089\u30a2\u30af\u30bb\u30b9\u53ef\u80fd\u3060\u3068\u3059\u308b\u3068\u3001\u4ed6\u306b\u8003\u3048\u308b\u3053\u3068\u304c\u306a\u304f\u306a\u308b\u305f\u3081\u3001\u975e\u5e38\u306b\u4fbf\u5229\u3060\u3002<\/p>\n
\u30aa\u30f3\u30d7\u30ec\u30df\u30b9 \u30db\u30b9\u30c8\u306e\u9650\u5b9a\u516c\u958b\u306e Google \u30a2\u30af\u30bb\u30b9\u3092\u69cb\u6210\u3059\u308b<\/a>\u306b\u306f\u3001<\/p>\n
\n
\u30aa\u30f3\u30d7\u30ec\u30df\u30b9 \u30db\u30b9\u30c8\u7528\u306e\u9650\u5b9a\u516c\u958b\u306e Google \u30a2\u30af\u30bb\u30b9\u3092\u4f7f\u7528\u3059\u308b\u3068\u3001Cloud VPN \u30c8\u30f3\u30cd\u30eb\u307e\u305f\u306f Cloud Interconnect \u7528\u306e VLAN \u30a2\u30bf\u30c3\u30c1\u30e1\u30f3\u30c8\u3092\u7d4c\u7531\u3057\u3066\u30c8\u30e9\u30d5\u30a3\u30c3\u30af\u3092\u30eb\u30fc\u30c6\u30a3\u30f3\u30b0\u3059\u308b\u3053\u3068\u306b\u3088\u308a\u3001\u30aa\u30f3\u30d7\u30ec\u30df\u30b9 \u30b7\u30b9\u30c6\u30e0\u304b\u3089 Google API \u3068\u30b5\u30fc\u30d3\u30b9\u306b\u63a5\u7d9a\u3067\u304d\u307e\u3059\u3002\u30aa\u30f3\u30d7\u30ec\u30df\u30b9 \u30db\u30b9\u30c8\u7528\u306e\u9650\u5b9a\u516c\u958b\u306e Google \u30a2\u30af\u30bb\u30b9\u306f\u3001\u30a4\u30f3\u30bf\u30fc\u30cd\u30c3\u30c8\u7d4c\u7531\u3067 Google API \u3068\u30b5\u30fc\u30d3\u30b9\u306b\u63a5\u7d9a\u3059\u308b\u305f\u3081\u306e\u4ee3\u66ff\u624b\u6bb5\u3068\u3057\u3066\u4f7f\u7528\u3067\u304d\u307e\u3059\u3002<\/p>\n<\/blockquote>\n
\u3068\u8a18\u8f09\u3055\u308c\u3066\u3044\u308b\u3002\u63a5\u7d9a\u5148\u304b\u3089 private.googleapis.com<\/code> \u7d4c\u7531\u3067 Cloud Storage \u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3068\u304d\u306b\u3001Bucket IP Filtering \u304c\u5229\u7528\u3067\u304d\u308b\u304b\u691c\u8a3c\u3057\u305f\u3044\u3002<\/p>\n
\u4f5c\u696d\u624b\u9806<\/h2>\n
\u57fa\u672c\u7684\u306a\u64cd\u4f5c\u306f\u3001\u3059\u3079\u3066 gcloud<\/code> \u30b3\u30de\u30f3\u30c9\u3067\u884c\u3044\u3001\u30b3\u30d4\u30fc\u3059\u308b\u3060\u3051\u3067\u518d\u73fe\u3067\u304d\u308b\u3053\u3068\u3092\u76ee\u6307\u3059\u3002<\/p>\n
\u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3084\u30d0\u30b1\u30c3\u30c8\u306e\u30ea\u30fc\u30b8\u30e7\u30f3\u306b\u306f us-central1<\/code> \u3092\u6307\u5b9a\u3059\u308b\u3002<\/p>\n
Google Cloud \u30d7\u30ed\u30b8\u30a7\u30af\u30c82\u3064\u306b\u300110.1.0.0\/24, 10.2.0.0\/24 \u306e VPC \u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u3092\u4f5c\u6210\u3057\u3001VPN \u3067\u63a5\u7d9a\u3055\u305b\u308b\u3002
\n10.1.0.0\/24 \u304c\u30db\u30b9\u30c8\u5074\u300110.2.0.0\/24 \u304c\uff08Google Cloud \u4e0a\u3067\u691c\u8a3c\u3059\u308b\u304c\uff09\u30aa\u30f3\u30d7\u30ec\u30df\u30b9\u5074\u3068\u8003\u3048\u308b\u3002<\/p>\n
network-vpn-host 10.1.0.0\/24
\nnetwork-vpn-guest 10.1.1.0\/24<\/p>\n
\u74b0\u5883\u5b9a\u7fa9<\/h3>\n
\u4ee5\u4e0b\u3092\u3001\u518d\u73fe\u74b0\u5883\u306b\u5408\u308f\u305b\u3066\u5b9a\u7fa9\u3059\u308b\u3002<\/p>\n
PROJECT_HOST<\/code> \u306f\u30d0\u30b1\u30c3\u30c8 \u30db\u30b9\u30c8\u3001PROJECT_GUEST<\/code> \u306f\u30aa\u30f3\u30d7\u30ec\u30df\u30b9\u74b0\u5883\u3068\u8003\u3048\u308b\u3002YOUR_IP<\/code> \u306f\u30a2\u30af\u30bb\u30b9\u3092\u8a31\u53ef\u3059\u308b\u30b0\u30ed\u30fc\u30d0\u30eb IP\u3001YOUR_ACCOUNT<\/code> \u306f\u3001\u64cd\u4f5c\u8005\u306e Google \u30a2\u30ab\u30a6\u30f3\u30c8\u3001BILLING_ACCOUNT<\/code> \u306f Google Cloud \u306e\u8ab2\u91d1\u30a2\u30ab\u30a6\u30f3\u30c8\u3092\u8a2d\u5b9a\u3059\u308b\u3002<\/p>\n
SHARED_SECRET<\/code> \u306f\u3001VPN \u63a5\u7d9a\u306e\u305f\u3081\u306e Shared Secret \u3067\u3042\u308b\u3002<\/p>\n
export PROJECT_HOST=host-project\nexport PROJECT_GUEST=guest-project\nexport YOUR_IP=203.0.113.1\nexport YOUR_ACCOUNT=test@example.com\nexport BILLING_ACCOUNT="000000-000000-000000"\n\nexport SHARED_SECRET="bvTtdK7nil68WCYu7+dJ7iYdEmeWCB\/A5Q4lUu2DHac="<\/code><\/pre>\n
Google Cloud \u30d7\u30ed\u30b8\u30a7\u30af\u30c8\u306e\u4f5c\u6210\u30fbAPI \u306e\u6709\u52b9\u5316<\/h3>\n
for project in $PROJECT_HOST $PROJECT_GUEST; do\n  gcloud projects create $project\n  gcloud billing projects link $project --billing-account=$BILLING_ACCOUNT\n  gcloud services enable compute.googleapis.com --project=$project\ndone<\/code><\/pre>\n
\u30d0\u30b1\u30c3\u30c8\u306e\u4f5c\u6210<\/h3>\n
\u30db\u30b9\u30c8\u5074\u306e\u30d7\u30ed\u30b8\u30a7\u30af\u30c8\u306b\u3001\u6b21\u306e\u3088\u3046\u306a Cloud Storage \u30d0\u30b1\u30c3\u30c8\u3092\u4f5c\u6210\u3059\u308b\u3002sa \u306f Service Account \u306e\u7565\u304b\u3089\u6765\u3066\u3044\u308b\u3002<\/p>\n
\u57fa\u672c\u7684\u306b allUsers<\/code> \u306b\u5bfe\u3057\u3066\u691c\u8a3c\u3067\u304d\u308c\u3070\u3001\u4eca\u56de\u306e\u76ee\u7684\u306f\u9054\u6210\u3055\u308c\u308b\u304c\u3001\u6298\u89d2\u306a\u306e\u3067\u3001Service Account \u306b\u6a29\u9650\u3092\u4ed8\u4e0e\u3057\u305f\u5834\u5408\u306e\u6319\u52d5\u3082\u78ba\u8a8d\u3057\u3066\u304a\u304f\u3002\u3042\u3068\u3067 ls<\/code> \u3057\u305f\u3044\u306e\u3067\u3001\u30c0\u30df\u30fc\u30d5\u30a1\u30a4\u30eb\u3082\u4f5c\u6210\u3057\u3066\u304a\u304f\u3002<\/p>\n\n\n\n\n\n\n\n\n\n\n
\u30d0\u30b1\u30c3\u30c8\u540d<\/th>\n\u30a2\u30af\u30bb\u30b9\u8a31\u53ef<\/th>\nBucket IP Filtering<\/th>\nnetwork<\/th>\nIP \u7bc4\u56f2<\/th>\n<\/tr>\n<\/thead>\n
public-2025-05<\/td>\nallUsers<\/td>\n\u7121\u52b9<\/td>\nNA<\/td>\nNA<\/td>\n<\/tr>\n
private-2025-05<\/td>\nhost \u30d7\u30ed\u30b8\u30a7\u30af\u30c8\u306e\u307f<\/td>\n\u7121\u52b9<\/td>\nNA<\/td>\nNA<\/td>\n<\/tr>\n
ip-vpn-all-2025-05<\/td>\nallUsers<\/td>\n\u6709\u52b9<\/td>\nnetwork-vpn-host<\/td>\n10.1.0.0\/16<\/td>\n<\/tr>\n
ip-vpn-sa-2025-05<\/td>\n\u691c\u8a3c\u8005\u3001host \u306e\u30b5\u30fc\u30d3\u30b9\u30a2\u30ab\u30a6\u30f3\u30c8<\/td>\n\u6709\u52b9<\/td>\nnetwork-vpn-host<\/td>\n10.1.0.0\/16<\/td>\n<\/tr>\n
ip-allow-all-2025-05<\/td>\nallUsers<\/td>\n\u6709\u52b9<\/td>\npublicNetworkSource, network-vpn-host<\/td>\n10.1.0.0\/16, YOUR_IP<\/code><\/td>\n<\/tr>\n
ip-allow-sa-2025-05<\/td>\n\u691c\u8a3c\u8005\u3001host \u306e\u30b5\u30fc\u30d3\u30b9\u30a2\u30ab\u30a6\u30f3\u30c8<\/td>\n\u6709\u52b9<\/td>\npublicNetworkSource, network-vpn-host<\/td>\n10.1.0.0\/16, YOUR_IP<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
network-vpn-host 10.1.0.0\/24
\nnetwork-vpn-guest 10.1.1.0\/24
\n\u3068\u3057\u305f\u304c\u3001\u300c\u4e21\u65b9\u300d\u3092\u542b\u3080 IP \u7bc4\u56f2\u3068\u3057\u3066\u300110.1.0.0\/16<\/code> \u3092\u6307\u5b9a\u3057\u3066\u3044\u308b\u3002<\/p>\n
gcloud storage buckets create gs:\/\/public-2025-05 --project=$PROJECT_HOST --location=us-central1 --uniform-bucket-level-access\ngcloud storage buckets add-iam-policy-binding gs:\/\/public-2025-05 --member=allUsers --role=roles\/storage.objectViewer --project=$PROJECT_HOST\n\ngcloud storage buckets create gs:\/\/private-2025-05 --project=$PROJECT_HOST --location=us-central1 --uniform-bucket-level-access\n\ngcloud storage buckets create gs:\/\/ip-vpn-all-2025-05 --project=$PROJECT_HOST --location=us-central1 --uniform-bucket-level-access\ngcloud storage buckets add-iam-policy-binding gs:\/\/ip-vpn-all-2025-05 --member=allUsers --role=roles\/storage.objectViewer --project=$PROJECT_HOST\n\ngcloud storage buckets create gs:\/\/ip-vpn-sa-2025-05 --project=$PROJECT_HOST --location=us-central1 --uniform-bucket-level-access\n# \u30d7\u30ed\u30b8\u30a7\u30af\u30c8\u3067\u6a29\u9650\u4ed8\u4e0e\u3059\u308b\u306e\u3067\u3001IAM \u3067\u306e\u6a29\u9650\u4ed8\u4e0e\u306f\u7701\u7565\n\ngcloud storage buckets create gs:\/\/ip-allow-all-2025-05 --project=$PROJECT_HOST --location=us-central1 --uniform-bucket-level-access\ngcloud storage buckets add-iam-policy-binding gs:\/\/ip-allow-all-2025-05 --member=allUsers --role=roles\/storage.objectViewer --project=$PROJECT_HOST\n\ngcloud storage buckets create gs:\/\/ip-allow-sa-2025-05 --project=$PROJECT_HOST --location=us-central1 --uniform-bucket-level-access\n# \u30d7\u30ed\u30b8\u30a7\u30af\u30c8\u3067\u6a29\u9650\u4ed8\u4e0e\u3059\u308b\u306e\u3067\u3001IAM \u3067\u306e\u6a29\u9650\u4ed8\u4e0e\u306f\u7701\u7565\n\nmkdir -p dummy_files\nfor bucket in public private ip-vpn-all ip-vpn-sa ip-allow-all ip-allow-sa; do\n  echo "${bucket}_2025-05.txt" > dummy_files\/${bucket}_2025-05.txt\n  gcloud storage cp dummy_files\/${bucket}_2025-05.txt gs:\/\/${bucket}-2025-05\ndone<\/code><\/pre>\n
VPC \u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306e\u4f5c\u6210<\/h3>\n
PROJECT_HOST \u306b VPC \u30cd\u30c3\u30c8\u30ef\u30fc\u30af network-vpn-host \u3092\u4f5c\u6210\u3057\u3001PROJECT_GUEST \u306b VPC \u30cd\u30c3\u30c8\u30ef\u30fc\u30af network-vpn-guest \u3092\u4f5c\u6210\u3059\u308b\u3002<\/p>\n
\u524d\u8ff0\u306e\u901a\u308a\u3001<\/p>\n
network-vpn-host 10.1.0.0\/24
\nnetwork-vpn-guest 10.1.1.0\/24<\/p>\n
\u3068\u3059\u308b\u3002<\/p>\n
gcloud compute networks create network-vpn-host --project=$PROJECT_HOST --subnet-mode=custom\ngcloud compute networks subnets create subnet-vpn-host \\\n    --network=network-vpn-host \\\n    --region=us-central1 \\\n    --range=10.1.0.0\/24 \\\n    --project=$PROJECT_HOST\n\ngcloud compute networks create network-vpn-guest --project=$PROJECT_GUEST --subnet-mode=custom\ngcloud compute networks subnets create subnet-vpn-guest \\\n    --network=network-vpn-guest \\\n    --region=us-central1 \\\n    --range=10.1.1.0\/24 \\\n    --project=$PROJECT_GUEST<\/code><\/pre>\n
Public IP \u304c\u3042\u308b\u3068\u3001\u7d4c\u8def\u304c\u5206\u304b\u308a\u306b\u304f\u3044\uff08\u5b9f\u969b\u306b\u306f\u5909\u308f\u3089\u306a\u3044\u306f\u305a\u3060\u304c\uff09\u3002
\nPublic IP \u304c\u306a\u304f\u3066\u3082\u3001SSH \u3067\u63a5\u7d9a\u3067\u304d\u308b\u3088\u3046\u306b\u3001IAP \u306e\u8a2d\u5b9a<\/a>\u3092\u884c\u3046\u3002<\/p>\n
for project in $PROJECT_HOST $PROJECT_GUEST; do\n    gcloud projects add-iam-policy-binding $project \\\n        --member="user:${YOUR_ACCOUNT}" \\\n        --role=roles\/iap.tunnelResourceAccessor\n    gcloud projects add-iam-policy-binding $project \\\n        --member="user:${YOUR_ACCOUNT}" \\\n        --role=roles\/compute.instanceAdmin.v1\ndone\n\ngcloud compute firewall-rules create allow-ssh-ingress-from-iap-vpn \\\n    --direction=INGRESS \\\n    --action=allow \\\n    --rules=tcp:22 \\\n    --source-ranges=35.235.240.0\/20 \\\n    --network=network-vpn-host \\\n    --project=$PROJECT_HOST\n\ngcloud compute firewall-rules create allow-ssh-ingress-from-iap-vpn \\\n    --direction=INGRESS \\\n    --action=allow \\\n    --rules=tcp:22 \\\n    --source-ranges=35.235.240.0\/20 \\\n    --network=network-vpn-guest \\\n    --project=$PROJECT_GUEST<\/code><\/pre>\n
\u307e\u305f\u3001Public IP \u304c\u306a\u304f\u3066\u3082\u3001Google Cloud \u306e\u30b5\u30fc\u30d3\u30b9\u306b\u30a2\u30af\u30bb\u30b9\u3067\u304d\u308b\u3088\u3046\u306b\u3001\u9650\u5b9a\u516c\u958b\u306e Google \u30a2\u30af\u30bb\u30b9\u3092\u69cb\u6210<\/a>\u3059\u308b\u3002<\/p>\n
<\/p>\n
gcloud compute networks subnets update subnet-vpn-host --project=$PROJECT_HOST \\\n    --region=us-central1 \\\n    --enable-private-ip-google-access\n\ngcloud compute networks subnets update subnet-vpn-guest --project=$PROJECT_GUEST \\\n    --region=us-central1 \\\n    --enable-private-ip-google-access\n\n# \u78ba\u8a8d\u3057\u305f\u3044\u5834\u5408\u306b\u306f\u4ee5\u4e0b\u3092\u5b9f\u884c\n# gcloud compute networks subnets describe subnet-vpn-host --project=$PROJECT_HOST \\\n#     --region=us-central1 \\\n#     --format="get(privateIpGoogleAccess)"<\/code><\/pre>\n
VM \u304c\u76f8\u4e92\u306b\u901a\u4fe1\u3067\u304d\u308b\u3088\u3046\u306b\u3001Firewall Rule \u3092\u8a2d\u5b9a\u3059\u308b\u3002<\/p>\n
gcloud compute firewall-rules create allow-internal-ingress-from-vpn \\\n    --direction=INGRESS \\\n    --action=allow \\\n    --rules=all \\\n    --source-ranges=10.1.0.0\/16 \\\n    --network=network-vpn-host \\\n    --project=$PROJECT_HOST\n\ngcloud compute firewall-rules create allow-internal-ingress-from-vpn \\\n    --direction=INGRESS \\\n    --action=allow \\\n    --rules=all \\\n    --source-ranges=10.1.0.0\/16 \\\n    --network=network-vpn-guest \\\n    --project=$PROJECT_GUEST<\/code><\/pre>\n
\u30d7\u30ed\u30b8\u30a7\u30af\u30c8\u9593\u306e VPN \u306e\u8a2d\u5b9a<\/h3>\n
\u4eca\u307e\u3067\u4f5c\u6210\u3057\u305f\u30cd\u30c3\u30c8\u30ef\u30fc\u30af network-vpn-host \u3068 network-vpn-guest \u306e\u9593\u306b VPN \u3092\u8a2d\u5b9a\u3059\u308b\u3002<\/p>\n
BGP \u306e IPv6 \u306b\u3064\u3044\u3066\u306f\u3001\u7701\u304f\u3053\u3068\u306b\u3057\u305f\u3002<\/p>\n
# PROJECT_HOST \u3067\u306e VPN \u8a2d\u5b9a\ngcloud compute vpn-gateways create vpn-host \\\n  --project=$PROJECT_HOST \\\n  --region=us-central1 \\\n  --network=network-vpn-host\n\ngcloud compute routers create cloud-router-host \\\n  --project=$PROJECT_HOST \\\n  --region=us-central1 \\\n  --network network-vpn-host \\\n  --asn 65001\n\n# PROJECT_GUEST \u3067\u306e VPN \u8a2d\u5b9a\ngcloud compute vpn-gateways create vpn-guest \\\n  --project=$PROJECT_GUEST \\\n  --region=us-central1 \\\n  --network=network-vpn-guest\n\ngcloud compute routers create cloud-router-guest \\\n  --project=$PROJECT_GUEST \\\n  --region=us-central1 \\\n  --network network-vpn-guest \\\n  --asn 65002<\/code><\/pre>\n
\u8868\u793a\u3055\u308c\u308b IP \u3092\u63a7\u3048\u3066\u304a\u304f\u3002<\/p>\n
export HOST_INTERFACE0=34.153.55.144\nexport HOST_INTERFACE1=35.220.88.151\n\nexport GUEST_INTERFACE0=35.242.99.80\nexport GUEST_INTERFACE1=34.153.244.91\n\n# \u30c6\u30b9\u30c8\u3057\u3066\u3044\u306a\u3044\u304c\u3001\u4ee5\u4e0b\u3067\u53d6\u5f97\u3067\u304d\u308b\u304b\u3082\nexport HOST_INTERFACE0=$(gcloud compute vpn-gateways describe vpn-host --project=$PROJECT_HOST --region=us-central1 --format='value(vpnInterfaces[0].ipAddress)')\nexport HOST_INTERFACE1=$(gcloud compute vpn-gateways describe vpn-host --project=$PROJECT_HOST --region=us-central1 --format='value(vpnInterfaces[1].ipAddress)')\n\nexport GUEST_INTERFACE0=$(gcloud compute vpn-gateways describe vpn-guest --project=$PROJECT_GUEST --region=us-central1 --format='value(vpnInterfaces[0].ipAddress)')\nexport GUEST_INTERFACE1=$(gcloud compute vpn-gateways describe vpn-guest --project=$PROJECT_GUEST --region=us-central1 --format='value(vpnInterfaces[1].ipAddress)')<\/code><\/pre>\n
# PROJECT_HOST \u3067\u3001\u76f8\u624b\u65b9\u306e\u60c5\u5831\u3092\u767b\u9332\n# guest -> host \u306e VPN \u306e\u5b58\u5728\u767b\u9332\n# \u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3092\u5229\u7528\u3057\u305f\u3044\u304c\u3001\n# > You cannot provide interface with IP address associated with HA VPN gateway of Google Cloud.\n# \u3068\u51fa\u308b\u306e\u3067\u3001`projects\/${PROJECT_GUEST}\/regions\/us-central1\/vpnGateways\/vpn-guest` \u3092\u6307\u5b9a\u3059\u308b\n\n# gcloud compute external-vpn-gateways create vpngw-guest-host \\\n#   --project=$PROJECT_HOST \\\n#   --interfaces=0=${GUEST_INTERFACE0},1=${GUEST_INTERFACE1}\n\ngcloud compute vpn-tunnels create tunnel-host-guest-0 \\\n  --project=$PROJECT_HOST \\\n  --region=us-central1 \\\n  --peer-gcp-gateway=projects\/${PROJECT_GUEST}\/regions\/us-central1\/vpnGateways\/vpn-guest \\\n  --ike-version=2 \\\n  --shared-secret=$SHARED_SECRET \\\n  --router=cloud-router-host \\\n  --vpn-gateway=vpn-host \\\n  --interface=0\n\ngcloud compute vpn-tunnels create tunnel-host-guest-1 \\\n  --project=$PROJECT_HOST \\\n  --region=us-central1 \\\n  --peer-gcp-gateway=projects\/${PROJECT_GUEST}\/regions\/us-central1\/vpnGateways\/vpn-guest \\\n  --ike-version=2 \\\n  --shared-secret=$SHARED_SECRET \\\n  --router=cloud-router-host \\\n  --vpn-gateway=vpn-host \\\n  --interface=1\n\n# PROJECT_GUEST \u3067\u3001\u76f8\u624b\u65b9\u306e\u60c5\u5831\u3092\u767b\u9332\n# host -> guest \u306e VPN \u306e\u5b58\u5728\u767b\u9332\n# gcloud compute external-vpn-gateways create vpngw-host-guest \\\n#   --project=$PROJECT_GUEST \\\n#   --interfaces=0=${HOST_INTERFACE0},1=${HOST_INTERFACE1}\n\ngcloud compute vpn-tunnels create tunnel-guest-host-0 \\\n  --project=$PROJECT_GUEST \\\n  --region=us-central1 \\\n  --peer-gcp-gateway=projects\/${PROJECT_HOST}\/regions\/us-central1\/vpnGateways\/vpn-host \\\n  --ike-version=2 \\\n  --shared-secret=$SHARED_SECRET \\\n  --router=cloud-router-guest \\\n  --vpn-gateway=vpn-guest \\\n  --interface=0\n\ngcloud compute vpn-tunnels create tunnel-guest-host-1 \\\n  --project=$PROJECT_GUEST \\\n  --region=us-central1 \\\n  --peer-gcp-gateway=projects\/${PROJECT_HOST}\/regions\/us-central1\/vpnGateways\/vpn-host \\\n  --ike-version=2 \\\n  --shared-secret=$SHARED_SECRET \\\n  --router=cloud-router-guest \\\n  --vpn-gateway=vpn-guest \\\n  --interface=1<\/code><\/pre>\n
BGP \u306e\u8a2d\u5b9a<\/p>\n
# HOST\ngcloud compute routers add-interface cloud-router-host \\\n  --project=$PROJECT_HOST \\\n  --interface-name=if-tunnel-host-guest-0 \\\n  --vpn-tunnel=tunnel-host-guest-0 \\\n  --region=us-central1 \\\n  --ip-version=IPV4\n\ngcloud compute routers add-bgp-peer cloud-router-host \\\n  --project=$PROJECT_HOST \\\n  --region=us-central1 \\\n  --peer-name=peer-tunnel-host-guest-0 \\\n  --interface=if-tunnel-host-guest-0 \\\n  --peer-asn=65002\n\n# AI Suggest below:\n# BGP_PEER_IP_HOST_TUNNEL_0=$(gcloud compute routers get-status cloud-router-host --project=$PROJECT_HOST --region=us-central1 --format='flattened(result.bgpPeerStatus[].name,result.bgpPeerStatus[].ipAddress,result.bgpPeerStatus[].peerIpAddress)' | grep tunnel-host-guest-0 | awk '{print $3}')\n# BGP_ROUTER_IP_HOST_TUNNEL_0=$(gcloud compute routers get-status cloud-router-host --project=$PROJECT_HOST --region=us-central1 --format='flattened(result.bgpPeerStatus[].name,result.bgpPeerStatus[].ipAddress,result.bgpPeerStatus[].peerIpAddress)' | grep tunnel-host-guest-0 | awk '{print $2}')<\/code><\/pre>\n
gcloud compute routers describe cloud-router-host \\\n  --project=$PROJECT_HOST \\\n  --region=us-central1<\/code><\/pre>\n
peerIpAddress<\/code> \u3092\u78ba\u8a8d\u3057\u3001\u76f8\u624b\u65b9\u306b\u60f3\u5b9a\u3055\u308c\u3066\u3044\u308b IP \u3092\u624b\u52d5\u3067\u8a2d\u5b9a\u3059\u308b\u3002<\/p>\n
# GUEST\ngcloud compute routers add-interface cloud-router-guest \\\n  --project=$PROJECT_GUEST \\\n  --interface-name=if-tunnel-guest-host-0 \\\n  --ip-address=169.254.0.250 \\\n  --mask-length=30 \\\n  --vpn-tunnel=tunnel-guest-host-0 \\\n  --region=us-central1 \\\n  --ip-version=IPV4\n\ngcloud compute routers add-bgp-peer cloud-router-guest \\\n  --project=$PROJECT_GUEST \\\n  --region=us-central1 \\\n  --peer-name=peer-tunnel-guest-host-0 \\\n  --interface=if-tunnel-guest-host-0 \\\n  --peer-asn=65001 \\\n  --peer-ip-address=169.254.0.249<\/code><\/pre>\n
\u8a2d\u5b9a\u306e\u78ba\u8a8d<\/p>\n
gcloud compute routers describe cloud-router-host \\\n  --project=$PROJECT_HOST \\\n  --region=us-central1\n\ngcloud compute routers describe cloud-router-guest \\\n  --project=$PROJECT_GUEST \\\n  --region=us-central1<\/code><\/pre>\n
VM \u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u306e\u4f5c\u6210<\/h3>\n
\u305d\u308c\u305e\u308c\u306e VPC \u30cd\u30c3\u30c8\u30ef\u30fc\u30af\u306b VM \u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u3092\u4f5c\u6210\u3059\u308b\u3002no-address<\/code> \u3092\u6307\u5b9a\u3057\u3066\u3001Public IP \u3092\u6301\u305f\u306a\u3044 VM \u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u3068\u3057\u3066\u3044\u308b\u3002<\/p>\n
gcloud compute instances create vm-host-vpn \\\n    --project=$PROJECT_HOST \\\n    --zone=us-central1-f \\\n    --machine-type=e2-micro \\\n    --network-interface=stack-type=IPV4_ONLY,subnet=subnet-vpn-host,no-address \\\n    --scopes=https:\/\/www.googleapis.com\/auth\/cloud-platform \\\n    --boot-disk-size 10GB \\\n    --boot-disk-type pd-standard \\\n    --image-project debian-cloud \\\n    --image-family debian-12\n\ngcloud compute instances create vm-guest-vpn \\\n    --project=$PROJECT_GUEST \\\n    --zone=us-central1-f \\\n    --machine-type=e2-micro \\\n    --network-interface=stack-type=IPV4_ONLY,subnet=subnet-vpn-guest,no-address \\\n    --scopes=https:\/\/www.googleapis.com\/auth\/cloud-platform \\\n    --boot-disk-size 10GB \\\n    --boot-disk-type pd-standard \\\n    --image-project debian-cloud \\\n    --image-family debian-12<\/code><\/pre>\n
\u5404 VM \u30a4\u30f3\u30b9\u30bf\u30f3\u30b9\u306b\u306f\u3001\u6b21\u306e\u3088\u3046\u306b\u3057\u3066 SSH \u63a5\u7d9a\u3067\u304d\u308b\u3002<\/p>\n
gcloud compute ssh --zone=us-central1-f vm-host-vpn --tunnel-through-iap --project $PROJECT_HOST\ngcloud compute ssh --zone=us-central1-f vm-guest-vpn --tunnel-through-iap --project $PROJECT_GUEST<\/code><\/pre>\n
10.1.0.3 \u304c\u30db\u30b9\u30c8\u5074\u306e VM \u30a4\u30f3\u30b9\u30bf\u30f3\u30b9 IP\u300110.1.1.3 \u304c\u30b2\u30b9\u30c8\u5074\u306e VM \u30a4\u30f3\u30b9\u30bf\u30f3\u30b9 IP \u3067\u3042\u3063\u305f\u3002
\n\u30b2\u30b9\u30c8\u5074\u304b\u3089 ping \u3057\u3066\u3001\u758e\u901a\u3067\u304d\u3066\u3044\u308c\u3070\u3001\u554f\u984c\u304c\u306a\u3044\u3002<\/p>\n
ping 10.1.0.3<\/code><\/pre>\n
Bucket IP Filtering \u306e\u691c\u8a3c<\/h2>\n
Access Check Part 1<\/h3>\n
\u307e\u305a\u306f\u3001\u5404 VM \u304b\u3089\u3001\u30d0\u30b1\u30c3\u30c8\u306b\u30a2\u30af\u30bb\u30b9\u3067\u304d\u308b\u304b\u3092\u78ba\u8a8d\u3059\u308b\u3002ls_all_buckets.sh<\/code> \u3092\u5404 VM \u304b\u3089\u5b9f\u884c\u3057\u3066\u3001\u30d0\u30b1\u30c3\u30c8\u4e00\u89a7\u3092\u78ba\u8a8d\u3059\u308b\u3002<\/p>\n
for bucket_prefix in public private ip-vpn-all ip-vpn-sa ip-allow-all ip-allow-sa; do\n  echo "gs:\/\/${bucket_prefix}-2025-05\/"\n  gcloud storage ls gs:\/\/${bucket_prefix}-2025-05\/\ndone<\/code><\/pre>\n
vm-host-vpn:<\/p>\n
.\/ls_all_buckets.sh \ngs:\/\/public-2025-05\/\ngs:\/\/public-2025-05\/public_2025-05.txt\ngs:\/\/private-2025-05\/\ngs:\/\/private-2025-05\/private_2025-05.txt\ngs:\/\/ip-vpn-all-2025-05\/\ngs:\/\/ip-vpn-all-2025-05\/ip-vpn-all_2025-05.txt\ngs:\/\/ip-vpn-sa-2025-05\/\ngs:\/\/ip-vpn-sa-2025-05\/ip-vpn-sa_2025-05.txt\ngs:\/\/ip-allow-all-2025-05\/\ngs:\/\/ip-allow-all-2025-05\/ip-allow-all_2025-05.txt\ngs:\/\/ip-allow-sa-2025-05\/\ngs:\/\/ip-allow-sa-2025-05\/ip-allow-sa_2025-05.txt<\/code><\/pre>\n
vm-guest-vpn:<\/p>\n
gs:\/\/public-2025-05\/\ngs:\/\/public-2025-05\/public_2025-05.txt\ngs:\/\/private-2025-05\/\nERROR: (gcloud.storage.ls) [886786442757-compute@developer.gserviceaccount.com] does not have permission to access b instance [private-2025-05] (or it may not exist): 886786442757-compute@developer.gserviceaccount.com does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist). This command is authenticated as 886786442757-compute@developer.gserviceaccount.com which is the active account specified by the [core\/account] property.\ngs:\/\/ip-vpn-all-2025-05\/\ngs:\/\/ip-vpn-all-2025-05\/ip-vpn-all_2025-05.txt\ngs:\/\/ip-vpn-sa-2025-05\/\nERROR: (gcloud.storage.ls) [886786442757-compute@developer.gserviceaccount.com] does not have permission to access b instance [ip-vpn-sa-2025-05] (or it may not exist): 886786442757-compute@developer.gserviceaccount.com does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist). This command is authenticated as 886786442757-compute@developer.gserviceaccount.com which is the active account specified by the [core\/account] property.\ngs:\/\/ip-allow-all-2025-05\/\ngs:\/\/ip-allow-all-2025-05\/ip-allow-all_2025-05.txt\ngs:\/\/ip-allow-sa-2025-05\/\nERROR: (gcloud.storage.ls) [886786442757-compute@developer.gserviceaccount.com] does not have permission to access b instance [ip-allow-sa-2025-05] (or it may not exist): 886786442757-compute@developer.gserviceaccount.com does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist). This command is authenticated as 886786442757-compute@developer.gserviceaccount.com which is the active account specified by the [core\/account] property.<\/code><\/pre>\n
\u4e0a\u8a18\u306e\u3088\u3046\u306b\u3001vm-host-vpn \u304b\u3089\u306f\u3059\u3079\u3066\u306e\u30d0\u30b1\u30c3\u30c8\u306b\u30a2\u30af\u30bb\u30b9\u3067\u304d\u308b\u304c\u3001vm-guest-vpn \u304b\u3089\u306f\u3001public-2025-05<\/code> \u3068 ip-vpn-all-2025-05<\/code> \u306e\u307f\u30a2\u30af\u30bb\u30b9\u3067\u304d\u308b\u3002<\/p>\n
Bucket IP Filtering \u306e\u8a2d\u5b9a<\/h3>\n
ip-vpn-all-2025-05 \u3068 ip-vpn-sa-2025-05 \u306e\u30d0\u30b1\u30c3\u30c8\u306b\u3001Bucket IP Filtering \u3092\u8a2d\u5b9a\u3059\u308b\u3002<\/p>\n
cat <<EOF > ip-filter-vpn.json\n{\n  "mode": "Enabled",\n  "vpcNetworkSources": [\n    {\n      "network": "projects\/$PROJECT_HOST\/global\/networks\/network-vpn-host",\n      "allowedIpCidrRanges": [\n        "10.1.0.0\/16"\n      ]\n    }\n  ]\n}\nEOF<\/code><\/pre>\n
ip-filter-allow.json<\/code> \u3092\u4f5c\u6210\u3059\u308b\u3002<\/p>\n
cat <<EOF > ip-filter-allow.json\n{\n  "mode": "Enabled",\n  "publicNetworkSource": {\n    "allowedIpCidrRanges": [\n      "${YOUR_IP}\/32"\n    ]\n  },\n  "vpcNetworkSources": [\n    {\n      "network": "projects\/$PROJECT_HOST\/global\/networks\/network-vpn-host",\n      "allowedIpCidrRanges": [\n        "10.1.0.0\/16"\n      ]\n    }\n  ]\n}\nEOF<\/code><\/pre>\n
Bucket IP Filtering \u3092\u8a2d\u5b9a\u3059\u308b\u3002<\/p>\n
for bucket_prefix in ip-vpn-all ip-vpn-sa; do\n  gcloud alpha storage buckets update gs:\/\/${bucket_prefix}-2025-05 --project=$PROJECT_HOST --ip-filter-file=ip-filter-vpn.json\ndone\n\nfor bucket_prefix in ip-allow-all ip-allow-sa; do\n  gcloud alpha storage buckets update gs:\/\/${bucket_prefix}-2025-05 --project=$PROJECT_HOST --ip-filter-file=ip-filter-allow.json\ndone<\/code><\/pre>\n
.\/configure_ip_filtering.sh.sh \nUpdating gs:\/\/ip-vpn-all-2025-05\/...\n  Completed 1\nUpdating gs:\/\/ip-vpn-sa-2025-05\/...\n  Completed 1\nUpdating gs:\/\/ip-allow-all-2025-05\/...\n  Completed 1\nUpdating gs:\/\/ip-allow-sa-2025-05\/...\n  Completed 1<\/code><\/pre>\n
Access Check Part 2<\/h3>\n
vm-host-vpn:<\/p>\n
.\/ls_all_buckets.sh\ngs:\/\/public-2025-05\/\ngs:\/\/public-2025-05\/public_2025-05.txt\ngs:\/\/private-2025-05\/\ngs:\/\/private-2025-05\/private_2025-05.txt\ngs:\/\/ip-vpn-all-2025-05\/\ngs:\/\/ip-vpn-all-2025-05\/ip-vpn-all_2025-05.txt\ngs:\/\/ip-vpn-sa-2025-05\/\ngs:\/\/ip-vpn-sa-2025-05\/ip-vpn-sa_2025-05.txt\ngs:\/\/ip-allow-all-2025-05\/\ngs:\/\/ip-allow-all-2025-05\/ip-allow-all_2025-05.txt\ngs:\/\/ip-allow-sa-2025-05\/\ngs:\/\/ip-allow-sa-2025-05\/ip-allow-sa_2025-05.txt<\/code><\/pre>\n
vm-guest-vpn:<\/p>\n
.\/ls_all_buckets.sh\ngs:\/\/public-2025-05\/\ngs:\/\/public-2025-05\/public_2025-05.txt\ngs:\/\/private-2025-05\/\nERROR: (gcloud.storage.ls) [886786442757-compute@developer.gserviceaccount.com] does not have permission to access b instance [private-2025-05] (or it may not exist): 886786442757-compute@developer.gserviceaccount.com does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist). This command is authenticated as 886786442757-compute@developer.gserviceaccount.com which is the active account specified by the [core\/account] property.\ngs:\/\/ip-vpn-all-2025-05\/\nERROR: (gcloud.storage.ls) [886786442757-compute@developer.gserviceaccount.com] does not have permission to access b instance [ip-vpn-all-2025-05] (or it may not exist): There is an IP filtering condition that is preventing access to the resource. This command is authenticated as 886786442757-compute@developer.gserviceaccount.com which is the active account specified by the [core\/account] property.\ngs:\/\/ip-vpn-sa-2025-05\/\nERROR: (gcloud.storage.ls) [886786442757-compute@developer.gserviceaccount.com] does not have permission to access b instance [ip-vpn-sa-2025-05] (or it may not exist): 886786442757-compute@developer.gserviceaccount.com does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist). This command is authenticated as 886786442757-compute@developer.gserviceaccount.com which is the active account specified by the [core\/account] property.\ngs:\/\/ip-allow-all-2025-05\/\nERROR: (gcloud.storage.ls) [886786442757-compute@developer.gserviceaccount.com] does not have permission to access b instance [ip-allow-all-2025-05] (or it may not exist): There is an IP filtering condition that is preventing access to the resource. This command is authenticated as 886786442757-compute@developer.gserviceaccount.com which is the active account specified by the [core\/account] property.\ngs:\/\/ip-allow-sa-2025-05\/\nERROR: (gcloud.storage.ls) [886786442757-compute@developer.gserviceaccount.com] does not have permission to access b instance [ip-allow-sa-2025-05] (or it may not exist): 886786442757-compute@developer.gserviceaccount.com does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist). This command is authenticated as 886786442757-compute@developer.gserviceaccount.com which is the active account specified by the [core\/account] property.<\/code><\/pre>\n
vm-guest-vpn \u304b\u3089\u306f\u3001public-2025-05<\/code> \u306e\u307f\u30a2\u30af\u30bb\u30b9\u3067\u304d\u308b\u3002\u305d\u308c\u4ee5\u5916\u306b\u306f\u30a2\u30af\u30bb\u30b9\u3067\u304d\u306a\u3044\u3002IP filtering \u306e\u6709\u7121\u3067\u3001\u30a8\u30e9\u30fc\u30e1\u30c3\u30bb\u30fc\u30b8\u304c\u7570\u306a\u3063\u3066\u3044\u308b\u3002<\/p>\n
\u9759\u7684\u30eb\u30fc\u30c8\u306e\u8ffd\u52a0<\/h3>\n
# gcloud compute routes create private-to-host \\\n#     --project=$PROJECT_GUEST \\\n#     --network=network-vpn-guest \\\n#     --destination-range=199.36.153.8\/30 \\\n#     --priority=200 \\\n#     --next-hop-gateway=projects\/$PROJECT_HOST\/global\/vpnGateways\/vpn-host\n\ngcloud compute routes create private-to-host \\\n    --project=$PROJECT_GUEST \\\n    --network=network-vpn-guest \\\n    --destination-range=199.36.153.8\/30 \\\n    --priority=200 \\\n    --next-hop-vpn-tunnel-region=us-central1 \\\n    --next-hop-vpn-tunnel=tunnel-guest-host-0<\/code><\/pre>\n
\u3010\u53c2\u8003\u3011Cloud Router \u306e\u8a2d\u5b9a\u5909\u66f4<\/h3>\n
Cloud Router \u3092\u4f7f\u7528\u3057\u305f\u30aa\u30f3\u30d7\u30ec\u30df\u30b9 \u30eb\u30fc\u30c6\u30a3\u30f3\u30b0<\/a> \u306b\u3042\u308b\u3088\u3046\u306b\u3001host \u5074\u306e Cloud Router \u304c\u3001private.googleapis.com<\/code> \u30c9\u30e1\u30a4\u30f3\u3067\u4f7f\u7528\u3055\u308c\u308b IP \u7bc4\u56f2\u306e\u30eb\u30fc\u30c8\u3092 guest \u5074\uff08\u30aa\u30f3\u30d7\u30ec\u30df\u30b9\u5074\uff09\u306b\u901a\u77e5\u3067\u304d\u308b\u3002<\/p>\n
\u9759\u7684\u30eb\u30fc\u30c8\u3067\u52d5\u4f5c\u3057\u305f\u305f\u3081\u3001\u4e0a\u8a18\u901a\u77e5 (advertise) \u306e\u624b\u6cd5\u3067\u3082\u52d5\u4f5c\u3059\u308b\u3068\u8003\u3048\u3089\u308c\u308b\u3002\u5177\u4f53\u7684\u306a\u691c\u8a3c\u306f\u884c\u3063\u3066\u3044\u306a\u3044\u305f\u3081\u3001\u662f\u975e\u78ba\u8a8d\u3057\u3066\u307f\u3066\u307b\u3057\u3044\u3002<\/p>\n
Access Check Part 3<\/h3>\n
\u7d50\u8ad6: \u9069\u5207\u306a\u8a2d\u5b9a\u3092\u52a0\u3048\u308b\u3068\u3001gs:\/\/ip-vpn-all-2025-05\/ip-vpn-all_2025-05.txt<\/code> \u3068 gs:\/\/ip-allow-all-2025-05\/ip-allow-all_2025-05.txt<\/code> \u306b\u8ffd\u52a0\u3067\u30a2\u30af\u30bb\u30b9\u3067\u304d\u308b\u3088\u3046\u306b\u306a\u308b\u3002<\/p>\n
\/etc\/hosts<\/code> \u6cd5<\/h4>\n
\u4ee5\u4e0b\u306e\u884c\u3092 \/etc\/hosts<\/code> \u306b\u8ffd\u52a0\u3059\u308b\u3002<\/p>\n
199.36.153.8 storage.googleapis.com<\/code><\/pre>\n
\u3059\u308b\u3068\u3001storage.googleapis.com<\/code> \u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3068\u3001199.36.153.8<\/code> \u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3088\u3046\u306b\u306a\u308b\u3002\u307e\u305f\u3001199.36.153.8\/30<\/code> \u3078\u306e\u30a2\u30af\u30bb\u30b9\u306f\u3001VPN \u7d4c\u7531\u3067\u884c\u308f\u308c\u308b\u9759\u7684\u30eb\u30fc\u30c8\u3092\u8a2d\u5b9a\u3057\u3066\u3044\u308b\u306e\u3067\u3001VPN \u7d4c\u7531\u3067\u30a2\u30af\u30bb\u30b9\u3055\u308c\u308b\u306f\u305a\u3060\u3002<\/p>\n
.\/ls_all_buckets.sh<\/code> \u3092\u518d\u5ea6\u5b9f\u884c\u3057\u3088\u3046\u3002<\/p>\n
.\/ls_all_buckets.sh\ngs:\/\/public-2025-05\/\ngs:\/\/public-2025-05\/public_2025-05.txt\ngs:\/\/private-2025-05\/\nERROR: (gcloud.storage.ls) [886786442757-compute@developer.gserviceaccount.com] does not have permission to access b instance [private-2025-05] (or it may not exist): 886786442757-compute@developer.gserviceaccount.com does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist). This command is authenticated as 886786442757-compute@developer.gserviceaccount.com which is the active account specified by the [core\/account] property.\ngs:\/\/ip-vpn-all-2025-05\/\ngs:\/\/ip-vpn-all-2025-05\/ip-vpn-all_2025-05.txt\ngs:\/\/ip-vpn-sa-2025-05\/\nERROR: (gcloud.storage.ls) [886786442757-compute@developer.gserviceaccount.com] does not have permission to access b instance [ip-vpn-sa-2025-05] (or it may not exist): 886786442757-compute@developer.gserviceaccount.com does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist). This command is authenticated as 886786442757-compute@developer.gserviceaccount.com which is the active account specified by the [core\/account] property.\ngs:\/\/ip-allow-all-2025-05\/\ngs:\/\/ip-allow-all-2025-05\/ip-allow-all_2025-05.txt\ngs:\/\/ip-allow-sa-2025-05\/\nERROR: (gcloud.storage.ls) [886786442757-compute@developer.gserviceaccount.com] does not have permission to access b instance [ip-allow-sa-2025-05] (or it may not exist): 886786442757-compute@developer.gserviceaccount.com does not have storage.objects.list access to the Google Cloud Storage bucket. Permission 'storage.objects.list' denied on resource (or it may not exist). This command is authenticated as 886786442757-compute@developer.gserviceaccount.com which is the active account specified by the [core\/account] property.<\/code><\/pre>\n
gs:\/\/ip-vpn-all-2025-05\/ip-vpn-all_2025-05.txt<\/code> \u3068 gs:\/\/ip-allow-all-2025-05\/ip-allow-all_2025-05.txt<\/code> \u306b\u8ffd\u52a0\u3067\u30a2\u30af\u30bb\u30b9\u3067\u304d\u308b\u3088\u3046\u306b\u306a\u3063\u305f\u3002<\/p>\n
Endpoint Override \u6cd5<\/h4>\n
\u9577\u3044\u306e\u3067\u7d50\u8ad6: \/etc\/hosts<\/code> \u3042\u308b\u3044\u306f\u3001DNS \u3092\u7d44\u307f\u5408\u308f\u305b\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002<\/p>\n
\/etc\/hosts<\/code> \u306e\u8a2d\u5b9a\u306f\u5143\u306b\u623b\u3057\u3066\u304a\u304f\u3002<\/p>\n
gcloud<\/code> \u30b3\u30de\u30f3\u30c9\u306f\u3001API \u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u3092\u4e0a\u66f8\u304d\u3059\u308b\u3053\u3068\u304c\u3067\u304d\u308b\u3002<\/p>\n
gcloud config set api_endpoint_overrides\/storage https:\/\/private.googleapis.com\/<\/code><\/pre>\n
\u4e0a\u8a18\u306b\u3088\u3063\u3066\u3001storage.googleapis.com<\/code> \u3067\u306f\u306a\u304f\u3001private.googleapis.com<\/code> \u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3088\u3046\u306b\u306a\u308b\u3002\u307e\u305f\u3001199.36.153.8\/30<\/code> \u3078\u306e\u30a2\u30af\u30bb\u30b9\u306f\u3001VPN \u7d4c\u7531\u3067\u884c\u308f\u308c\u308b\u9759\u7684\u30eb\u30fc\u30c8\u3092\u8a2d\u5b9a\u3057\u3066\u3044\u308b\u306e\u3067\u3001VPN \u7d4c\u7531\u3067\u30a2\u30af\u30bb\u30b9\u3055\u308c\u308b\u306f\u305a\u3060\u3002<\/p>\n
.\/ls_all_buckets.sh<\/code> \u3092\u518d\u5ea6\u5b9f\u884c\u3057\u3088\u3046\u3002<\/p>\n
.\/ls_all_buckets.sh\ngs:\/\/public-2025-05\/\nERROR: (gcloud.storage.ls) gs:\/\/public-2025-05 not found: 404.\ngs:\/\/private-2025-05\/\nERROR: (gcloud.storage.ls) gs:\/\/private-2025-05 not found: 404.\ngs:\/\/ip-vpn-all-2025-05\/\nERROR: (gcloud.storage.ls) gs:\/\/ip-vpn-all-2025-05 not found: 404.\ngs:\/\/ip-vpn-sa-2025-05\/\nERROR: (gcloud.storage.ls) gs:\/\/ip-vpn-sa-2025-05 not found: 404.\ngs:\/\/ip-allow-all-2025-05\/\nERROR: (gcloud.storage.ls) gs:\/\/ip-allow-all-2025-05 not found: 404.\ngs:\/\/ip-allow-sa-2025-05\/\nERROR: (gcloud.storage.ls) gs:\/\/ip-allow-sa-2025-05 not found: 404.<\/code><\/pre>\n
\u2026\u30c0\u30e1\u3060\u3063\u305f\u3002<\/p>\n
\u3053\u3053\u3067\u91cd\u8981\u306a\u70b9\u3068\u3057\u3066\u3001\u3053\u306e\u8a2d\u5b9a\u3067\u306f\u671f\u5f85\u901a\u308a\u306b\u52d5\u4f5c\u305b\u305a\u3001\u30a2\u30af\u30bb\u30b9\u306f\u5931\u6557\u3057\u305f\u3002\u3053\u306e\u7d50\u679c\u306b\u306f\u6ce8\u76ee\u3057\u3066\u307b\u3057\u3044\u3002<\/p>\n
gcloud config set api_endpoint_overrides\/storage https:\/\/private.googleapis.com\/storage\/v1\/<\/code><\/pre>\n
\u3082\u30a8\u30e9\u30fc\u3060\u3063\u305f\u3002\u306a\u305c\u30a2\u30af\u30bb\u30b9\u304c\u5931\u6557\u3059\u308b\u306e\u304b\u539f\u56e0\u304c\u4e0d\u660e\u3067\u3042\u308b\u3002<\/p>\n
gcloud config set api_endpoint_overrides\/storage https:\/\/private.googleapis.com\/storage\/<\/code><\/pre>\n
\u3053\u308c\u3082\u30a8\u30e9\u30fc\u3060\u3063\u305f\u3002<\/p>\n
\u4ee5\u4e0b\u306e\u3088\u3046\u306b --log-http<\/code> \u3092\u3064\u3051\u3066\u3001\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u78ba\u8a8d\u3057\u3066\u307f\u308b\u3002<\/p>\n
gcloud config set api_endpoint_overrides\/storage https:\/\/private.googleapis.com\/storage\/v1\/\ngcloud storage ls gs:\/\/public-2025-05 --log-http<\/code><\/pre>\n
\u3059\u308b\u3068\u3001<\/p>\n
https:\/\/private.googleapis.com\/storage\/v1\/b\/public-2025-05\/o?alt=json&fields=prefixes%2Citems%2Fname%2Citems%2Fsize%2Citems%2Fgeneration%2CnextPageToken&delimiter=%2F&includeFoldersAsPrefixes=True&maxResults=1000&projection=noAcl<\/code><\/pre>\n
\u306e\u3088\u3046\u306a\u30ea\u30af\u30a8\u30b9\u30c8\u304c\u98db\u3093\u3067\u3044\u308b\u3002<\/p>\n
curl "https:\/\/private.googleapis.com\/storage\/v1\/b\/public-2025-05\/o?alt=json&fields=prefixes%2Citems%2Fname%2Citems%2Fsize%2Citems%2Fgeneration%2CnextPageToken&delimiter=%2F&includeFoldersAsPrefixes=True&maxResults=1000&projection=noAcl"\ncurl -H "Host: storage.googleapis.com" "https:\/\/private.googleapis.com\/storage\/v1\/b\/public-2025-05\/o?alt=json&fields=prefixes%2Citems%2Fname%2Citems%2Fsize%2Citems%2Fgeneration%2CnextPageToken&delimiter=%2F&includeFoldersAsPrefixes=True&maxResults=1000&projection=noAcl"<\/code><\/pre>\n
\u3092\u8a66\u3057\u3066\u307f\u308b\u3068\u3001Host<\/code> \u3092\u8a2d\u5b9a\u3057\u306a\u3044\u5834\u5408\u306f\u3001404 \u3067\u3001Host<\/code> \u3092\u8a2d\u5b9a\u3059\u308b\u3068\u3001\u4ee5\u4e0b\u304c\u8fd4\u3063\u3066\u304d\u305f\u3002<\/p>\n
{\n  "items": [\n    {\n      "name": "public_2025-05.txt",\n      "generation": "1746452844041206",\n      "size": "19"\n    }\n  ]\n}<\/code><\/pre>\n
\u3064\u307e\u308a\u3001\u30b5\u30fc\u30d0\u5074\u306f Host<\/code> \u30d8\u30c3\u30c0\u3092\u898b\u3066\u3044\u3066\u3001storage<\/code> \u3067\u306a\u3044\u5834\u5408\u306b\u306f\u6b63\u5e38\u306b\u5fdc\u7b54\u3057\u306a\u3044\u3002<\/p>\n
gcloud config set api_endpoint_overrides\/storage https:\/\/private.googleapis.com\/<\/code><\/pre>\n
\u3068\u3057\u3066\u3082\u3001\u30a2\u30af\u30bb\u30b9\u5148\u306f\u540c\u3058\u3088\u3046\u3060\u3063\u305f\u3002<\/p>\n
gcloud config set api_endpoint_overrides\/storage https:\/\/199.36.153.8\/\ngcloud config set auth\/disable_ssl_validation True\ngcloud storage ls gs:\/\/public-2025-05 --log-http<\/code><\/pre>\n
\u3068\u3059\u308b\u3068\u3001401 \u3068\u306a\u308b\u3002<\/p>\n
gcloud storage ls gs:\/\/public-2025-05\n\/usr\/bin\/..\/lib\/google-cloud-sdk\/lib\/third_party\/urllib3\/connectionpool.py:1102: InsecureRequestWarning: Unverified HTTPS request is being made to host '199.36.153.8'. Adding certificate verification is strongly advised. See: https:\/\/urllib3.readthedocs.io\/en\/latest\/advanced-usage.html#tls-warnings\n  warnings.warn(\n\/usr\/bin\/..\/lib\/google-cloud-sdk\/lib\/third_party\/urllib3\/connectionpool.py:1102: InsecureRequestWarning: Unverified HTTPS request is being made to host '199.36.153.8'. Adding certificate verification is strongly advised. See: https:\/\/urllib3.readthedocs.io\/en\/latest\/advanced-usage.html#tls-warnings\n  warnings.warn(\nERROR: (gcloud.storage.ls) HTTPError 401: <!DOCTYPE html>\n<html lang=en>\n  <meta charset=utf-8>\n  <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">\n  <title>Error 401 (Unauthorized)!!1<\/title>\n  <style>\n    *{margin:0;padding:0}html,code{font:15px\/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(\/\/www.google.com\/images\/errors\/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(\/\/www.google.com\/images\/branding\/googlelogo\/1x\/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(\/\/www.google.com\/images\/branding\/googlelogo\/2x\/googlelogo_color_150x54dp.png) no-repeat 0% 0%\/100% 100%;-moz-border-image:url(\/\/www.google.com\/images\/branding\/googlelogo\/2x\/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(\/\/www.google.com\/images\/branding\/googlelogo\/2x\/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}\n  <\/style>\n  <a href=\/\/www.google.com\/><span id=logo aria-label=Google><\/span><\/a>\n  <p><b>401.<\/b> <ins>That\u2019s an error.<\/ins>\n  <p>Your client does not have permission to the requested URL <code>\/storage\/v1\/b\/public-2025-05\/o<\/code>.  <ins>That\u2019s all we know.<\/ins><\/code><\/pre>\n
\u3068\u3044\u3046\u3053\u3068\u3067\u3001\u7d50\u8ad6\u304b\u3089\u8a00\u3046\u3068\u3001\u30c0\u30e1\u3060\u3002<\/p>\n
Endpoint Override \u6cd5\u306e\u8003\u5bdf<\/h4>\n
\/etc\/hosts<\/code> \u306b\u4ee5\u4e0b\u3092\u8ffd\u52a0\u3057\u3066\u307f\u308b\u3002\u7247\u65b9\u306f\u610f\u56f3\u7684\u306b storag<\/code> \u3068 e<\/code> \u3092\u524a\u3063\u3066\u3044\u308b\u3002<\/p>\n
199.36.153.8 storage-dummy.p.googleapis.com\n199.36.153.8 storag-dummy.p.googleapis.com<\/code><\/pre>\n
gcloud config set api_endpoint_overrides\/storage https:\/\/storage-dummy.p.googleapis.com\/\ngcloud storage ls gs:\/\/public-2025-05<\/code><\/pre>\n
\u306f<\/p>\n
gcloud storage ls gs:\/\/public-2025-05\ngs:\/\/public-2025-05\/public_2025-05.txt<\/code><\/pre>\n
\u3068\u7d50\u679c\u304c\u8fd4\u3063\u3066\u304f\u308b\u3002<\/p>\n
\u4e00\u65b9\u3067<\/p>\n
gcloud config set api_endpoint_overrides\/storage https:\/\/storag-dummy.p.googleapis.com\/\ngcloud storage ls gs:\/\/public-2025-05<\/code><\/pre>\n
\u3068\u3059\u308b\u3068<\/p>\n
gcloud storage ls gs:\/\/public-2025-05\nERROR: (gcloud.storage.ls) gs:\/\/public-2025-05 not found: 404.<\/code><\/pre>\n
\u3068\u306a\u308b\u3002<\/p>\n
\u30b0\u30ed\u30fc\u30d0\u30eb Google API \u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b \u306e \u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u304b\u3089 Google API \u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b \u306b\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u3092\u4f7f\u7528\u3059\u308b<\/a>\u3068\u3044\u3046\u9805\u76ee\u304c\u3042\u308b\u3002\u3053\u308c\u306b\u3088\u308b\u3068\u3001<\/p>\n
\n
\u305f\u3068\u3048\u3070\u3001\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u540d\u304c xyz<\/code> \u306e\u5834\u5408\u3001API \u30d0\u30f3\u30c9\u30eb\u306b storage-xyz.p.googleapis.com<\/code>\u3001compute-xyz.p.googleapis.com<\/code>\u3001\u305d\u306e\u4ed6\u306e\u4e00\u822c\u7684\u306b\u4f7f\u7528\u3055\u308c\u308b API \u306e DNS \u30ec\u30b3\u30fc\u30c9\u304c\u4f5c\u6210\u3055\u308c\u307e\u3059\u3002<\/p>\n
\u6ce8: \u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u3092\u4f7f\u7528\u3067\u304d\u308b\u30ab\u30b9\u30bf\u30e0 \u30e9\u30a4\u30d6\u30e9\u30ea\u3092\u958b\u767a\u3059\u308b\u5834\u5408\u306f\u3001\u30ea\u30af\u30a8\u30b9\u30c8\u3092\u9001\u4fe1\u3059\u308b\u30b5\u30fc\u30d3\u30b9\u306e\u6709\u52b9\u306a\u30db\u30b9\u30c8\u540d\u306b Host \u30d8\u30c3\u30c0\u30fc\u3068 SNI \u3092\u8a2d\u5b9a\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002\u6709\u52b9\u306a\u30db\u30b9\u30c8\u540d\u306f\u3001\u30b5\u30fc\u30d3\u30b9\u56fa\u6709\u306e\u30c7\u30d5\u30a9\u30eb\u30c8 \u30c9\u30e1\u30a4\u30f3\u540d\uff08storage.googleapis.com<\/code>\uff09\u307e\u305f\u306f\u30b5\u30fc\u30d3\u30b9\u306e SERVICE-ENDPOINT.p.googleapis.com<\/code> DNS \u540d\uff08\u4f7f\u7528\u53ef\u80fd\u306a\u5834\u5408\uff09\u306e\u3044\u305a\u308c\u304b\u3067\u3059\u3002SERVICE-ENDPOINT.p.googleapis.com<\/code> \u306e\u540d\u524d\u306e\u5834\u5408\u3001\u540d\u524d\u306e SERVICE<\/code> \u306e\u90e8\u5206\u306f\u30b5\u30fc\u30d3\u30b9\u3068\u4e00\u81f4\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u304c\u3001ENDPOINT<\/code> \u306e\u4efb\u610f\u306e\u5024\u3092\u4f7f\u7528\u3067\u304d\u307e\u3059\u3002<\/p>\n<\/blockquote>\n
\u3067\u3042\u308b\u3002\u3053\u306e\u30c9\u30ad\u30e5\u30e1\u30f3\u30c8\u306f\u3001\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u5074\u304c\u3001\u300c\u3069\u306e\u3088\u3046\u306a Host<\/code> \u3067\u547c\u3073\u51fa\u3055\u308c\u3066\u3044\u308b\u304b\u300d\u3092\u6c17\u306b\u3057\u3066\u5fdc\u7b54\u3057\u3066\u3044\u308b\u3068\u3044\u3046\u8003\u3048\u3092\u88cf\u4ed8\u3051\u308b\u3002<\/p>\n
\u7d50\u8ad6\u3068\u3057\u3066\u306f\u3001Endpoint Override \u3067\u63a5\u7d9a\u3057\u305f\u3044\u5834\u5408\u306f\u3001<\/p>\n
    \n
  1. storage-endpointname.p.googleapis.com<\/code> \u304c\u3001private.googleapis.com<\/code> \u306e CNAME \u306b\u89e3\u6c7a\u3055\u308c\u308b\u3088\u3046\u306a DNS \u8a2d\u5b9a\u3092\u884c\u3046<\/li>\n
  2. storage-endpointname.p.googleapis.com<\/code> \u3067\u547c\u3073\u51fa\u3059\u3088\u3046\u306b\u3059\u308b<\/li>\n<\/ol>\n
    \u3092\u5408\u308f\u305b\u3066\u5229\u7528\u3059\u308b\u5fc5\u8981\u304c\u3042\u308b\u3002<\/p>\n
    storage.private.googleapis.com<\/code> \u3068\u304b\u4f5c\u3063\u3066\u304f\u308c\u305f\u3089\u3044\u3044\u306e\u306b\u2026\u3002<\/p>\n
    \u3061\u306a\u307f\u306b\u3001storage-private.googleapis.com<\/code> \u306f storage.googleapis.com<\/code> \u3068\u540c\u3058\u7d50\u679c\u304c\u8fd4\u3063\u3066\u304f\u308b\u3088\u3046\u3060\u3002<\/p>\n
    \u6ce8\u610f:
    \ngcloud config<\/code> \u306e\u8a2d\u5b9a\u306f\u5143\u306b\u623b\u3057\u3066\u304a\u304f\u3053\u3068\u3092\u5fd8\u308c\u306a\u3044\u3088\u3046\u306b\u3059\u308b\u3002\u4ee5\u4e0b\u306e\u30b3\u30de\u30f3\u30c9\u3092\u5b9f\u884c\u3057\u3066\u3001\u5143\u306b\u623b\u3059\u3053\u3068\u304c\u3067\u304d\u308b\u3002<\/p>\n
    gcloud config unset auth\/disable_ssl_validation\ngcloud config unset api_endpoint_overrides\/storage<\/code><\/pre>\n
    curl \u6cd5<\/h4>\n
    \u3055\u3066\u3001curl<\/code> \u306f -H<\/code> \u30aa\u30d7\u30b7\u30e7\u30f3\u3067 Host<\/code> \u30d8\u30c3\u30c0\u3092\u6307\u5b9a\u3067\u304d\u308b\u3002\u3053\u3061\u3089\u306e\u4e16\u754c\u306f\u81ea\u7531\u3060\u3002<\/p>\n
    \u307e\u305a\u306f\u3001\u30a2\u30af\u30bb\u30b9\u300c\u3067\u304d\u306a\u3044\u300d\u4f8b\u3092\u78ba\u8a8d\u3057\u3066\u304a\u3053\u3046\u3002<\/p>\n
    echo "curl https:\/\/storage.googleapis.com\/public-2025-05\/public_2025-05.txt"\ncurl https:\/\/storage.googleapis.com\/public-2025-05\/public_2025-05.txt\necho "curl https:\/\/storage.googleapis.com\/private-2025-05\/private_2025-05.txt"\ncurl https:\/\/storage.googleapis.com\/private-2025-05\/private_2025-05.txt\necho "curl https:\/\/storage.googleapis.com\/ip-vpn-all-2025-05\/ip-vpn-all_2025-05.txt"\ncurl https:\/\/storage.googleapis.com\/ip-vpn-all-2025-05\/ip-vpn-all_2025-05.txt\necho "curl https:\/\/storage.googleapis.com\/ip-vpn-sa-2025-05\/ip-vpn-sa_2025-05.txt"\ncurl https:\/\/storage.googleapis.com\/ip-vpn-sa-2025-05\/ip-vpn-sa_2025-05.txt\necho "curl https:\/\/storage.googleapis.com\/ip-allow-all-2025-05\/ip-allow-all_2025-05.txt"\ncurl https:\/\/storage.googleapis.com\/ip-allow-all-2025-05\/ip-allow-all_2025-05.txt\necho "curl https:\/\/storage.googleapis.com\/ip-allow-sa-2025-05\/ip-allow-sa_2025-05.txt"\ncurl https:\/\/storage.googleapis.com\/ip-allow-sa-2025-05\/ip-allow-sa_2025-05.txt<\/code><\/pre>\n
    vm-guest-vpn:<\/p>\n
    curl https:\/\/storage.googleapis.com\/public-2025-05\/public_2025-05.txt\npublic_2025-05.txt\ncurl https:\/\/storage.googleapis.com\/private-2025-05\/private_2025-05.txt\n<?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied<\/Code><Message>Access denied.<\/Message><Details>Anonymous caller does not have storage.objects.get access to the Google Cloud Storage object. Permission 'storage.objects.get' denied on resource (or it may not exist).<\/Details><\/Error>\ncurl https:\/\/storage.googleapis.com\/ip-vpn-all-2025-05\/ip-vpn-all_2025-05.txt\n<?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied<\/Code><Message>Access denied.<\/Message><Details>There is an IP filtering condition that is preventing access to the resource.<\/Details><\/Error>\ncurl https:\/\/storage.googleapis.com\/ip-vpn-sa-2025-05\/ip-vpn-sa_2025-05.txt\n<?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied<\/Code><Message>Access denied.<\/Message><Details>Anonymous caller does not have storage.objects.get access to the Google Cloud Storage object. Permission 'storage.objects.get' denied on resource (or it may not exist).<\/Details><\/Error>\ncurl https:\/\/storage.googleapis.com\/ip-allow-all-2025-05\/ip-allow-all_2025-05.txt\n<?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied<\/Code><Message>Access denied.<\/Message><Details>There is an IP filtering condition that is preventing access to the resource.<\/Details><\/Error>\ncurl https:\/\/storage.googleapis.com\/ip-allow-sa-2025-05\/ip-allow-sa_2025-05.txt\n<?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied<\/Code><Message>Access denied.<\/Message><Details>Anonymous caller does not have storage.objects.get access to the Google Cloud Storage object. Permission 'storage.objects.get' denied on resource (or it may not exist).<\/Details><\/Error><\/code><\/pre>\n
    \u30a2\u30af\u30bb\u30b9\u7d4c\u8def\u304c\u5909\u308f\u3089\u306a\u3044\u306e\u3067\u3001\u7d50\u679c\u306f\u5909\u308f\u3089\u306a\u3044\u3002<\/p>\n
    \u3053\u3053\u3067\u3001\u30a8\u30f3\u30c9\u30dd\u30a4\u30f3\u30c8\u3092 private.googleapis.com<\/code> \u306b\u5909\u66f4\u3057\u3066\u3001curl \u3057\u3066\u307f\u308b\u3002<\/p>\n
    echo "curl -H \\"Host: storage.googleapis.com\\" \\"https:\/\/private.googleapis.com\/public-2025-05\/public_2025-05.txt\\""\ncurl -H "Host: storage.googleapis.com" "https:\/\/private.googleapis.com\/public-2025-05\/public_2025-05.txt"\necho "curl -H \\"Host: storage.googleapis.com\\" \\"https:\/\/private.googleapis.com\/private-2025-05\/private_2025-05.txt\\""\ncurl -H "Host: storage.googleapis.com" "https:\/\/private.googleapis.com\/private-2025-05\/private_2025-05.txt"\necho "curl -H \\"Host: storage.googleapis.com\\" \\"https:\/\/private.googleapis.com\/ip-vpn-all-2025-05\/ip-vpn-all_2025-05.txt\\""\ncurl -H "Host: storage.googleapis.com" "https:\/\/private.googleapis.com\/ip-vpn-all-2025-05\/ip-vpn-all_2025-05.txt"\necho "curl -H \\"Host: storage.googleapis.com\\" \\"https:\/\/private.googleapis.com\/ip-vpn-sa-2025-05\/ip-vpn-sa_2025-05.txt\\""\ncurl -H "Host: storage.googleapis.com" "https:\/\/private.googleapis.com\/ip-vpn-sa-2025-05\/ip-vpn-sa_2025-05.txt"\necho "curl -H \\"Host: storage.googleapis.com\\" \\"https:\/\/private.googleapis.com\/ip-allow-all-2025-05\/ip-allow-all_2025-05.txt\\""\ncurl -H "Host: storage.googleapis.com" "https:\/\/private.googleapis.com\/ip-allow-all-2025-05\/ip-allow-all_2025-05.txt"\necho "curl -H \\"Host: storage.googleapis.com\\" \\"https:\/\/private.googleapis.com\/ip-allow-sa-2025-05\/ip-allow-sa_2025-05.txt\\""\ncurl -H "Host: storage.googleapis.com" "https:\/\/private.googleapis.com\/ip-allow-sa-2025-05\/ip-allow-sa_2025-05.txt"<\/code><\/pre>\n
    Error \u306e\u76f4\u5f8c\u306e\u884c\u3067\u3001\u6539\u884c\u3092\u5165\u308c\u305f\u3002<\/p>\n
    vm-guest-vpn:<\/p>\n
    curl -H "Host: storage.googleapis.com" "https:\/\/private.googleapis.com\/public-2025-05\/public_2025-05.txt"\npublic_2025-05.txt\ncurl -H "Host: storage.googleapis.com" "https:\/\/private.googleapis.com\/private-2025-05\/private_2025-05.txt"\n<?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied<\/Code><Message>Access denied.<\/Message><Details>Anonymous caller does not have storage.objects.get access to the Google Cloud Storage object. Permission 'storage.objects.get' denied on resource (or it may not exist).<\/Details><\/Error>\ncurl -H "Host: storage.googleapis.com" "https:\/\/private.googleapis.com\/ip-vpn-all-2025-05\/ip-vpn-all_2025-05.txt"\nip-vpn-all_2025-05.txt\ncurl -H "Host: storage.googleapis.com" "https:\/\/private.googleapis.com\/ip-vpn-sa-2025-05\/ip-vpn-sa_2025-05.txt"\n<?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied<\/Code><Message>Access denied.<\/Message><Details>Anonymous caller does not have storage.objects.get access to the Google Cloud Storage object. Permission 'storage.objects.get' denied on resource (or it may not exist).<\/Details><\/Error>\ncurl -H "Host: storage.googleapis.com" "https:\/\/private.googleapis.com\/ip-allow-all-2025-05\/ip-allow-all_2025-05.txt"\nip-allow-all_2025-05.txt\ncurl -H "Host: storage.googleapis.com" "https:\/\/private.googleapis.com\/ip-allow-sa-2025-05\/ip-allow-sa_2025-05.txt"\n<?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied<\/Code><Message>Access denied.<\/Message><Details>Anonymous caller does not have storage.objects.get access to the Google Cloud Storage object. Permission 'storage.objects.get' denied on resource (or it may not exist).<\/Details><\/Error><\/code><\/pre>\n
    \u7d50\u679c\u304c\u5909\u308f\u3063\u305f\u3053\u3068\u306b\u6ce8\u610f\u3057\u3088\u3046\u3002\u5927\u4e8b\u306a\u30dd\u30a4\u30f3\u30c8\u3092\u629c\u304d\u51fa\u3059\u3002<\/p>\n
    # NG\ncurl https:\/\/storage.googleapis.com\/ip-vpn-all-2025-05\/ip-vpn-all_2025-05.txt\n<?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied<\/Code><Message>Access denied.<\/Message><Details>There is an IP filtering condition that is preventing access to the resource.<\/Details><\/Error>\n\n# OK\ncurl -H "Host: storage.googleapis.com" "https:\/\/private.googleapis.com\/ip-vpn-all-2025-05\/ip-vpn-all_2025-05.txt"\nip-vpn-all_2025-05.txt\n\n# NG\ncurl https:\/\/storage.googleapis.com\/ip-allow-all-2025-05\/ip-allow-all_2025-05.txt\n<?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied<\/Code><Message>Access denied.<\/Message><Details>There is an IP filtering condition that is preventing access to the resource.<\/Details><\/Error>\n\n# OK\ncurl -H "Host: storage.googleapis.com" "https:\/\/private.googleapis.com\/ip-allow-all-2025-05\/ip-allow-all_2025-05.txt"\nip-allow-all_2025-05.txt<\/code><\/pre>\n
    curl<\/code> \u30b3\u30de\u30f3\u30c9\u3092\u4f7f\u3063\u3066\u3082\u3001Bucket IP Filtering \u3067\u8a31\u53ef\u3055\u308c\u3066\u3044\u308b IP \u7bc4\u56f2\u304b\u3089\u30a2\u30af\u30bb\u30b9\u3067\u304d\u308b\u3053\u3068\u304c\u78ba\u8a8d\u3067\u304d\u305f\u3002<\/p>\n
    Access Check Part 4<\/h3>\n
    \u7b46\u8005\u81ea\u5b85\u304b\u3089\u306e\u30a2\u30af\u30bb\u30b9\u304b\u3089\u3082\u78ba\u8a8d\u3057\u3066\u307f\u308b\u3002\u30e1\u30fc\u30eb\u30a2\u30c9\u30ec\u30b9\u306f test@example.com<\/code> \u306b\u7f6e\u304d\u63db\u3048\u3066\u3044\u308b\u3002<\/p>\n
    gs:\/\/public-2025-05\/\ngs:\/\/public-2025-05\/public_2025-05.txt\ngs:\/\/private-2025-05\/\ngs:\/\/private-2025-05\/private_2025-05.txt\ngs:\/\/ip-vpn-all-2025-05\/\nERROR: (gcloud.storage.ls) [test@example.com] does not have permission to access b instance [ip-vpn-all-2025-05] (or it may not exist): There is an IP filtering condition that is preventing access to the resource. This command is authenticated as test@example.com which is the active account specified by the [core\/account] property.\ngs:\/\/ip-vpn-sa-2025-05\/\nERROR: (gcloud.storage.ls) [test@example.com] does not have permission to access b instance [ip-vpn-sa-2025-05] (or it may not exist): There is an IP filtering condition that is preventing access to the resource. This command is authenticated as test@example.com which is the active account specified by the [core\/account] property.\ngs:\/\/ip-allow-all-2025-05\/\ngs:\/\/ip-allow-all-2025-05\/ip-allow-all_2025-05.txt\ngs:\/\/ip-allow-sa-2025-05\/\ngs:\/\/ip-allow-sa-2025-05\/ip-allow-sa_2025-05.txt<\/code><\/pre>\n
    \u3068\u3044\u3046\u3053\u3068\u3067\u3001<\/p>\n