SFTP Gateway Support

3.0

Configuring IP Filtering on GCS Buckets

Google Cloud Storage offers an IP filtering feature that allows you to restrict bucket access to specific IP addresses. This is useful when you want to ensure that only authorized networks—such as your office network or your SFTP Gateway VM—can read from or write to a bucket.

This guide walks through the configuration process and highlights an important distinction: GCE VM traffic must be configured differently than external traffic, even when the VM has a public IP address.

TLDR

  • What: Restrict GCS bucket access to specific IP addresses using IP filtering
  • Use Case: Lock down bucket access to your internal network and SFTP Gateway VM
  • Key Insight: GCE VM IPs must be added as VPC Network sources, not Public Internet

Overview

When you enable IP filtering on a GCS bucket, you can define access rules based on two types of network sources:

  • Public Internet – Use this for external clients like laptops, on-premises servers, or any device outside of Google Cloud.
  • VPC Network – Use this for Google Compute Engine VMs, even if they have public IP addresses.

The most common mistake users make is adding a GCE VM's public IP under Public Internet. This seems intuitive—after all, it's a public IP—but it won't work. Google Cloud recognizes that the traffic originates from within a VPC and expects the configuration to reflect that. If you're setting up IP filtering for an SFTP Gateway VM, make sure to add its IP under VPC Network.

Prerequisites

Before you begin, make sure you have the following information ready:

  • The name of the GCS bucket you want to protect
  • The public IP address of your SFTP Gateway VM
  • The name of the VPC network where your VM is deployed (often default)
  • The Google Cloud project ID

Configuration Steps

The following steps walk you through enabling IP filtering on your bucket and adding the appropriate rules for both external clients and your SFTP Gateway VM.

Step 1: Navigate to Bucket Settings

Start by opening the IP filtering settings for your bucket:

  1. Open the Google Cloud Console
  2. Go to Cloud Storage > Buckets
  3. Click on your bucket name
  4. Select the Protection tab
  5. Scroll down to IP filtering

Step 2: Add External Client IPs (Optional)

If you need to access the bucket from locations outside of Google Cloud—such as your office network or a home office—you'll add those IPs under Public Internet.

  1. Click Add configuration
  2. Select Public Internet
  3. Enter the IP address in CIDR notation (e.g., 203.0.113.10/32 for a single IP)
  4. Click Save

You can add multiple IP ranges if needed. This is also where you'd add on-premises server IPs if they need to sync data with the bucket.

Step 3: Add SFTP Gateway VM IP

This is the step that catches most people off guard. Even though your SFTP Gateway VM has a public IP, you need to add it under VPC Network, not Public Internet.

  1. Click Add configuration
  2. Select VPC Network
  3. Enter the Project ID where the VM resides
  4. Enter the VPC Network name (e.g., default)
  5. Under IP ranges, enter the VM's public IP in CIDR notation (e.g., 34.67.56.50/32)
  6. Click Save

Why does this matter? When your VM makes a request to GCS, Google Cloud can see that the request is coming from a Compute Engine instance within a VPC. It expects the IP allowlist to be defined in the VPC Network configuration, not the Public Internet configuration. If you put the IP in the wrong place, the request will be denied even though the IP technically matches.

Step 4: Enable Service Agent Access

Google Cloud uses service agents to perform background operations on your bucket, such as lifecycle management and logging. To ensure these services continue to work, you should allow service agent access.

  1. Under Service agent access, select Allow all service agents
  2. Click Save

Verification

Once you've saved your configuration, you can verify that everything is working by running a simple test from your SFTP Gateway VM.

SSH into the VM and run:

gcloud storage ls gs://YOUR_BUCKET_NAME/

If the configuration is correct, you'll see a list of objects in the bucket (or an empty response if the bucket is empty). If something is misconfigured, you'll see an error like this:

There is an IP filtering condition that is preventing access to the resource.

If you encounter this error, the most likely cause is that the VM's IP was added under Public Internet instead of VPC Network. Double-check your configuration and move the IP to the correct section.

Configuration Summary

Here's a quick reference showing where different types of IPs should be configured:

Traffic SourceConfiguration TypeExample
Office laptop / On-premises serverPublic Internet203.0.113.50/32
SFTP Gateway VM (GCE)VPC NetworkProject: my-project, Network: default, IP: 34.67.56.50/32
PreviousNext