I can ping its external IP from my local laptop, but cannot ping from its own. I have set up firewall rules to allow icmp from all internal IPs of its subnetwork (10.45.0.0/6) . What other reasons could be?
GCE uses the Hypervisor to assign the External IP to an Instance.
That means the firewall rule applies between the external IP and the Instance and to be able to enable ping lookback, a 0.0.0.0/0 allow rule (or more restrictive) for icmp will allow the ping to reach the external IP from the Internal one. Make sure you have the default firewall rule 'default-allow-icmp' on your network details for the VM. Please see this link for more information about rules in the default network.
Related
I am working on a project that requires me to have multiple network interfaces. I followed the documentation and created three interfaces. I also changed the firewall rules. But even after changing the firewall rules, I am not getting a reply for an ICMP request to the second interface's external IP.
As seen in the screenshot I have allowed all protocols from anywhere to any instance in my network enter image description here
If you look at the routing table of your VM instance, you'll see that the default route is configured on the primary network interface eth0:
vm-instance:$ ip route
default via 10.156.0.1 dev eth0
...
Whether an Ephemeral or a Static External IP address is configured, this External IP is unknown to the operating system of the VM instance. The External IP address is mapped to the VM's Internal address transparently by VPC. You can verify this with the command
vm-instance:$ ip -4 address show
You'll see that there are no External IPs bound.
Furthermore, IP packet forwarding is disabled both between the network cards of the VM instance and network interfaces of Google-provided Linux. The commands below can verify that:
CloudShell:$ gcloud compute instances describe vm-instance --zone=your-zone | grep canIpForward
vm-instance:$ sudo sysctl net.ipv4.ip_forward
Therefore when a ping packet is received by a secondary interface, it can't reply.
To explore this behavior a bit, you may launch tcpdump on the VM instance so that listen on a secondary interface, for example eth1:
vm-instance:$ sudo apt-get install tcpdump
vm-instance:$ sudo tcpdump -i eth1
then find out External IP of your Cloud Shell appliance and ping the secondary External IP of your VM instance from Cloud Shell:
CloudShell:$ curl ifconfig.me/ip
CloudShell:$ ping [secondary_ip_of_vm_instance]
You'll see in the tcpdump output on the console of your VM instance how ICMP packets are arriving to the eth1 interface from the External IP address of your workstation. But they are not replied.
Google provides explanation of this behavior in the Troubleshooting section of the VPC documentation and suggests possible workarounds:
Virtual Private Cloud > Doc > Creating instances with multiple network interfaces > Troubleshooting > I am not able to connect to secondary interface using external IP:
The DHCP server programs a default route only on the primary network
interface of the VM. If you want to connect to the secondary interface
using an external IP, there are two options. If you only need to
connect outside the network on the secondary network interface, you
can set a default route on that network interface. Otherwise, you can
use Configuring Policy
Routing
to configure a separate routing table using source-based policy
routing in your VM.
I have used firewall rules but I still cannot receive traffic on vm instance. I want to allow http server incoming connection. By default google compute engine does not allow incoming traffic outside the network, so you have to create firewall rules. In google cloud platform documentation it suggests to disable operating system firewall. To disable it I need my user password, which I never created. So what to do now? I need password for my user, I am the creator of vm instance. Any help?
These are my firewall settings:
saad_hussain#saad:~$ gcloud compute firewall-rules list
NAME NETWORK SRC_RANGES RULES SRC_TAGS TARGET_TAGS
default-allow-http default 0.0.0.0/0 tcp:80 http-server
default-allow-https default 0.0.0.0/0 tcp:443 https-server
default-allow-icmp default 0.0.0.0/0 icmp
default-allow-internal default 10.128.0.0/9 tcp:0-65535,udp:0-65535,icmp
default-allow-rdp default 0.0.0.0/0 tcp:3389
default-allow-ssh default 0.0.0.0/0 tcp:22
http default 0.0.0.0/0 tcp:80
https default 0.0.0.0/0 tcp:80
Open Google Cloud Platform and log in.
Click Console at the top-right
Click Computer Engine from the left menu.
Than click VM instances from the left menu.
Click the virtual machine instance's three-dot menu(...) which you want to allow the port connection.
Select "View network details". (Now you can see rules about firewall)
Click "Firewall Rules" from left menu.
Click "CREATE FIREWALL RULE" button at the top of page.
At here you can allow any ip to connect to your vm instance or allow any port to connection. Now you can adjust firewall for vm instance good luck.
Here is some advice to troubleshoot similar issues. Have a look to:
a) Google Firewall. As per the comments and the output provided, port 80 is already opened but will only apply to instances that hold the tag ¨http-server¨.
b) Making sure that a firewall inside the VM is not filtering packets. As also mentioned in the comments most of the public images provided by Google allow the traffic by default.
c) Making sure that the service is not only listening on localhost and it is using an IPv4 address
Using nmap can help to determine if the issue is being caused by a firewall or the server not listening in the appropiate port. The lastest can also be verified using ¨netstat --listen¨
I have google cloud compute engine instance. I'm trying to connect using winSCP. I followed the steps by https://cloud.google.com/compute/docs/instances/connecting-to-instance
It is stating "Connection Timed out error" What should be the cause. Should I need to open firewall in google cloud? But it doesn't shown in the instruction.
Yes, you should have a GCE firewall rule added for SSH protocol to allow this traffic to the VM instances that you want to connect. This is a quote from this article:
Each network has its own firewall controlling access to the instances.
All traffic to instances, even from other instances, is blocked by the
firewall unless firewall rules are created to allow it.
The default network has automatically created firewall rules, which
are shown below. No manually created network of any type has
automatically created firewall rules. For all networks except the
default network, you must create any firewall rules you need.
Firewall rules are only "allow" rules. You cannot create "deny" rules.
If you need to restrict traffic from reaching certain instances,
create rules that allow traffic to the other instances, then remove
the firewall rule that allowed traffic to all of the instances.
The firewall rules automatically created for the default network are
as follows:
default-allow-internal
Allows network connections of any protocol and
port between instances on the network.
default-allow-ssh
Allows SSH connections from any source to any instance on the network over > TCP port 22.
default-allow-rdp
Allows RDP connections from any source to any instance on the network over > TCP port 3389.
default-allow-icmp
Allows ICMP traffic from any source to any instance on the network.
I am setting up a HTTP load balancer for my compute engine instances. After the basic setup works, I want to block external HTTP access to my compute engine instances. All HTTP communication should go through the forwarding rule. How to configure the network firewall to achieve that?
So far my network firewall looks like:
default-allow-http
Allow from any source (0.0.0.0/0)
tcp:80 ; tcp:443
I tried to change the source filter to 10.240.0.1/16 or my forwarding rule IP (107.178.254.89). None of these works.
I have this Google instance where another Ephemeral IP is forwarded to. In fact all TCP ports on that IP is getting forwarded to the target instance.
Now what I need to do is to forward all UDP ports from the same IP to the same instance.
Unfortunately running this command:
gcutil --service_version="v1" --project="trainer-484" addforwardingrule "eu-rule-1-1-udp" --region="europe-west1" --protocol="UDP" --target="eu-pool" --ip="x.y.x.x"
I get the following error:
Invalid value for field 'resource.natIP': 'natIP/x.y.x.x'. Resource was not found.
This is a serious problem as we need to be able to forward all protocols not just a subset of protocols.
You can't add another forwarding rule to that ephemeral IP (See documentation at [1]).
You need to reserve an IP with command :
gcutil --project="trainer-484" reserveaddress --region="europe-west1" ip-name
Than you can use the reserved IP to add forwarding rules.
Kind Regards,
Paolo
[1] - https://developers.google.com/compute/docs/gcutil/reference/forwardingrule