I am trying to establish site to site vpn from Google cloud to my home. I am using Route based VPN option in Google cloud and I see that the connection is established from my home to Google cloud. When I ping my home network from Google compute instance, I can see the incoming traffic at home. But, Google compute instance is not receiving any traffic. I have the following routes
Default route destination 0.0.0.0/0 next hop Internet gateway (automatically created)
Default route destination 192.168.2.0/24 next hop vpc-network (automatically created)
Route destination 192.168.1.0/24 next hop vpn-tunnel (I created to route traffic from GCP to my home)
The firewall is open from any ip to vpc network.
I am thinking it is a Routing/Firewall problem, but lost on the next steps to debug. Any help is appreciated.
Related
I have a Python application which has been deployed to openshift.
I am using an external REST service in my application. In order to use this service, the developers of the REST service have to whitelist my IP because a Firewall blocks unauthorized IP addresses.
How can I find the external IP of my application? How can I find it in openshift? I tried a few OC commands, but I am not sure if I have to get the IP of the pod or the service.
Out of the box the traffic from internal cluster components will appear to external infrastructure like they are coming from whichever OpenShift compute host their pods are currently scheduled on.
Information on internal cluster networking and how traffic traverses from a process running inside a pod to the external network can be found at SDN: Packet Flow.
In your case you could have the external application whitelist all of the ip addresses of the compute hosts that are expected to run your application pods.
Alternately you could set up an EgressIP. This will cause all traffic originating from a specific OpenShift project to appear as if it is originating from a single ip address. You could then have your external application whitelist the EgressIP address.
Documentation for configuring EgressIP can be found in the official documentation under Enabling Static IPs for External Project Traffic
What you are searching for is the external IP of the Service. A Service acts as a load balancer for your pods but by default it only has a cluster-wide IP address. If you need a URL to access it from the outside, you can create a Route. For your purpose where you need an actual external IP address, you can assign the Service an external IP manually. Information on how to do this can be found in the official OpenShift Docs.
I have set up a VPN tunnel from my on prem datacenter to a Google Cloud project.
I have set up a BGP session on my on prem router, and on a Google Cloud router, that works, and they can see each other subnets and I can ping instances from each side.
The problem comes when I advertise a default route 0.0.0.0/0 from my on prem datacenter to my Cloud router. I have removed the 0.0.0.0/0 default route from my Google Cloud network already. So what this setup will do is route all egress traffic from Google Cloud instances to the on prem network. That default route is not accepted by Cloud router and not added to the routes table.
Can someone explain if cloud router has a filter against default route advertisements via BGP ?
I ran into the same problem. Google filters route 0.0.0.0/0 from BGP. However, you can workaround this if you announce 0.0.0.0/1 and 128.0.0.0/1 via BGP.
I am using the Google Load-Balancer with the CDN option enabled.
When I setup the Backend Configuration for the load-balancer, I setup a backend with instances in US-Central, US-West and US-East.
Everything is working great, except all traffic is being routed only to the US-West backend service.
Does the load-balancer option route traffic to the closest backend service?
I see that there is an advanced menu in the load balancer for creating forwarding rules, target proxies and more.
Is there something I need to do to make my load-balancer load closest to client?
If they are in Florida and the CDN does not have the file, they get routed to the US-East VM Instance?
If that is not possible, it seems like having only an US-Central server would better than having US-Central, US-East and US-West? That way East Coast misses are not going to the West Coast to get the file. Everything will pull from the central location.
Unless there is a way to route traffic from the load-balancer to the closest VM instance, it seems as if the only solution would be to create different load balancers with the CDN enabled and use DNS routing to point to the CDN pool that is closest.
That setup would use 3 different CDN ip address's, 3 Compute Engine ip address's and dns latency or location routing. If they are in Florida, route them to the Google Load Balancer CDN in the east coast.
I'm not sure that would be a good solution on top of the Anycast ip routing. It seems like overkill.
Thank you for listening and any help or guidance would be appreciated.
"By default, to distribute traffic to instances, Google Compute Engine picks an instance based on a hash of the source IP and port and the destination IP and port."
Similar question: Google compute engine load balancing not routing properly Except all traffic in a live environment is all going to the same VM instance.
I am using the Google CDN Frontend Anycast ip address.
I think Elving is right and there may be a mis-configuration. Here is a screen shot of the VM instances in the Google Cloud. It says the two instances aren't in use.
Here is another picture of the Instances Groups. I don't see a clear way to make the instances attached to the instance groups.
The load balancer will automatically route traffic to the nearest instance group with capacity. You don't need to do anything other than configure your backend service to use multiple instance groups.
There's more information at https://cloud.google.com/compute/docs/load-balancing/http/.
I have Google Cloud project consisting of a compute engine instance which I want to configure as a push subscriber of Cloud Pub/Sub service. I have setup an apache webserver with a self-signed certificate on the instance and have also made a DNS entry (abc.mydomain.com) which points to the instance which has a static IP address. I am already a verified owner of the domain (mydomain.com) on webmasters.
Whenever I add the subscription from the Cloud console, it fails with the error: "The subscription could not be added" and does not show any other useful information.
Please help.
Self-signed certificates are not supported.
There are few options for you:
Pay for the certificate
Use App Engine as a proxy
Use pull subscriptions
Use App Engine Managed VM
The last one is basically a Compute Engine instance, but you will get free https connection via a subdomain of appspot.com.
i need to know if the following scenario is possible using Google Cloud:
I need to have a IPSec VPN with a partner, the thing is that at their side they will allow only one of my hosts access their network, at their side they configure a ACL as follows: network-object host X.X.X.4.
So, is a must that in the negotiation of phase 2, Google Cloud send as local address the ip number allowed by their X.X.X.4, and not the network X.X.X.0/something, if that happens phase 2 will crash.
Is possible to configure the VPN using this requirement?
Regards,
Will.
You could try creating a /30 network in your project and hosts the VM that you would like to interact with the partner and setup the VPN tunnel
If you have another network, where other VM/Apps exists, setup a cross-vpn between the VPN tunnels in your project, just that they are in different network within the same project.