I have created a GCE VM (i.e. a compute.v1.instance) using Cloud Deployment Manager (I've downloaded Deployment.zip from https://console.cloud.google.com/marketplace/product/scientiamobile-public/wurfl-microservice-basic?project=msm-groupdata-sharedresources and deployed that using gcloud deployment-manager deployments create).
After deploying the VM I notice that the "Block project-wide SSH keys" property is not checked
I would like to change this (its company policy to have this box checked) in my deployment package which would involve changing a property however I can't figure out which property to change. I've looked through https://cloud.google.com/compute/docs/reference/rest/v1/instances which is the API reference for compute.v1.instance but it isn't obvious to me which property in there would toggle this "Block project-wide SSH keys" option.
Please can someone tell me what I need to change?
Figured it out. Its not a property, its metadata. ENSURE 'BLOCK PROJECT-WIDE SSH KEYS' ENABLED FOR VM INSTANCES was useful.
I've provided an example of using Cloud Deployment Manager to set "Block project-wide SSH keys" at https://stackoverflow.com/a/69328479/201657
Related
Once you have a vpn tunnel up and running there does not appear to be a method to view all the details of the tunnel from either the Google Cloud Console or the gcloud command line. Specifically the route policies that were configured when the tunnel was initially setup are missing from the describe.
Is there a method to see this information?
This a known behavior. The Developers Console doesn't set the remoteTrafficSelector when creating the tunnels through it.
The Developers Console creates the necessary routes and shows the "Remote ranges" based on them.
The workaround is to create the VPN tunnels using the Compute API or Cloud SDK with the following command:
gcloud compute vpn-tunnels create NAME --region=REGION --peer-address=PEER_ADDRESS --shared-secret=SHARED_SECRET --target-vpn-gateway=TARGET_VPN_GATEWAY --local-traffic-selector=CIDR --remote-traffic-selector=CIDR
You can click on the star icon in the Public Issue Tracker to get updates when there is any progress on it.
Note: This doesn't have any impact on the VPN tunnel functionality.
I would like to use jupyter notebook from google cloud compute engine. When i try to launch it through command line, I am not able to open the notebook using my browser.
Please let me know on how to do this.
It looks like you're trying to start a Jupyter notebook server on the VM and want to access it using the external IP of the VM (assuming you have not disabled the external IP option on your VM).
You will need to do the following:
Modify jupyter_notebook_config.py in your ~/.jupyter directory. Do go through exactly what you need to modify and how to secure your notebook server since Jupyter notebook by default only listens on the loopback interface (i.e. 127.0.0.1 aka localhost).
The minimum set of configuration options that you should uncomment and
edit in jupyter_notebook_config.py is the following:
# Set options for certfile, ip, password, and toggle off
# browser auto-opening
c.NotebookApp.certfile = u'/absolute/path/to/your/certificate/mycert.pem'
c.NotebookApp.keyfile = u'/absolute/path/to/your/certificate/mykey.key'
# Set ip to '*' to bind on all interfaces (ips) for the public server
c.NotebookApp.ip = '*'
c.NotebookApp.password = u'sha1:bcd259ccf...<your hashed password here>'
c.NotebookApp.open_browser = False
# It is a good idea to set a known, fixed port for server access
c.NotebookApp.port = 9999
You will need to modify the firewall rules to allow ingress traffic to the port (on the VM) you just configured in the previous step. To do that I will recommend tag based firewall rules so that you can control which VMs the firewall rule applies to.
Network tags are used by networks to identify which instances are
subject to certain firewall rules and network routes. For example, if
you have several VM instances that are serving a large website, tag
these instances with a shared word or term and then use that tag to
apply a firewall rule that allows HTTP access to those instances. Tags
are also reflected in the metadata server, so you can use them for
applications running on your instances. When you create a firewall
rule, you can provide either sourceRanges or sourceTags but not both.
# Assuming Jupyter notebook is running on port 9999
# Add a new tag based firewall rule to allow ingress tcp:9999
gcloud compute firewall-rules create rule-allow-tcp-9999 --source-ranges 0.0.0.0/0 --target-tags allow-tcp-9999 --allow tcp:9999
# Add the allow-tcp-9999 target tag to the VM named say 'vm-1'
gcloud compute instances add-tags vm-1 --tags allow-tcp-9999
# If you want to list all the GCE firewall rules
gcloud compute firewall-rules list
It might take a few seconds to couple of minutes for the changes to take effect.
Alternatively, you can also use Google Cloud Console instead of gcloud to configure firewall rules. You can go through this answer which explains that in detail.
You can also "Create Firewall Rules" to allow your jupyter c.NotebookApp.port number.
refer this image set Protocols and ports to tcp:<jupyter port number>
I created a simple f1 micro instance (Ubuntu 16.10) on Google Compute Engine. I had created a VPC (Networking) and allowed http/https. I explicitly created a Firewall rule to allow SSH (tcp:22). But I am not able to login to the VM instance.
I keep getting this error:
Here is my Firewall Rule:
How to fix this?
I was able to finally ssh into an instance by Choosing "Automatic" while creating a new VPC network instead of Custom and also chose allow ssh. This added default Firewall rules which were more accurate.
For anyone that runs into this problem I reached out to Google support by email (who responded!!) and they instructed me to run the following commands from terminal (where I have gcloud installed):
If you haven't yet authenticated / or to set the correct project
gcloud auth login
gcloud config set project PROJECT_ID
This is the meat of it - setting the firewall rules.
gcloud beta compute firewall-rules create default-allow-ssh --allow tcp:22 --priority=65534
Also - use chrome - the interface seems to occasionally throw a fit whenever you use any other browser.
I accidentally messed up Windows Firewall of my VPS and now I can't connect using RDP anymore.
Is there a way to reset the firewall rules without deleting and creating a new instance? Already checked the FAQs and found nothing about it, same goes for the cloud shell. The firewall rules that I can see on the web manager seems different of my Operational System firewall.
The best way is to use Google Cloud console.
Go to the Windows Instance
Edit the Instance and add the following key/value pair to Custom Metadata section
key is: windows-startup-script-cmd
value: netsh advfirewall set allprofiles state off
This resets the firewall to Off when booting and you can get back in with the RDP client as before.
Please open Cloud Shell on Google Cloud Platform web console.
Type: gcloud compute firewall-rules create openrdp --allow=tcp:3389
Try to connect your machine again.
Is there a network-level IP address blocking/blacklist capability to a Google Compute Engine instance? For example, a site is hosted on a GCE instance to allow public users access. However, a malicious script runs several times/second which is not legitimate traffic. Ideally, the IP of the offending user could be placed on a block list so traffic would not be routed to the instance, rather than just server side only mechanism (apache modules, IPtables, etc) which still requires CPU/RAM/disk resources.
You can setup an HTTP load balancer for your instances, and allow traffic only from the LB IP address to your instances. More information can be found in this Help Center article.
GCP does not provide WAF natively. You can use marketplace WAF (like Brocade WAF) to block IPs.
https://cloud.google.com/launcher/solution/brocade-public-1063/stm-csub-1000-h-saf?q=brocade
This is absolutely not the recommended way to manage your firewall blacklist.
However...
In the compute GUI, you can create a firewall rule set action on match to "deny" and protocols and port to "deny all". Then set source IPs.
compute GUI
You could then run a cron job to update your firewall through gcloud compute firewall-rules update to update source IPs should your list change.
Note (from Google - https://cloud.google.com/vpc/docs/using-firewalls):
gcloud compute firewall-rules update is used to update firewall rules that allow/deny incoming/outgoing traffic. The firewall rule will only be updated for arguments that are specifically passed. Other attributes will remain unaffected. The action flag (whether to allow or deny matching traffic) cannot be defined when updating a firewall rule
Yes you can block it using Gcloud Firewall.
Try creating the firewall rule from the command line or by logging into Google Cloud.
Example:
gcloud compute firewall-rules create tcp-deny --network example-network --source-ranges 10.0.0.0/8 --allow !tcp:80
Above Rule will block the range 10.0.0.0/8 to port 80 (tcp).
Same can be done to block other IP Ranges over tcp and udp.
For more info check this: glcoud network config