VM Instances on Google Cloud - google-compute-engine

I have created a VM instances on Google cloud and i want to access it from WAN. I try type address in address bar but it say server down. I can remote desktop to my window instance but cannot access it in browser.
What is the problems? How to solve it?

You can access linux instances with SSH and windows instances using remote desktop. More details can be found in the google cloud documentation here.
Update:
If you want to enable http access to your website then you need to
1) Make sure you are trying to connect to correct external ip address. Your server will either have a static or Ephemeral ip address. Ephemeral ip address changes every time you reboot your server. Static ip doesn't change, but it is not free. More details here.
2) Make sure you enabled http access in your firewall settings. (Maybe you forgot to check this option when you are creating your virtual machine?) To set the firewall settings go to Networking -> vpc network -> firewall rules

Related

Is there a way to set a static IP on an AWS RDS Instance?

So for a project that I am working on at my office, I have a .NET application that will be storing and retrieving data to/from an AWS RDS MySQL Server that I have setup. The problem that I have run into is that port 3306 is not open on the work network.
I have reached out to my networking department to see what they can do about opening this port. They asked me if there was a way to set a static IP to this AWS RDS Instance. They only want to open the port based on the server's IP address rather than open the port 3306 completely for security reasons they say. After some research, I have seen that it is possible to set an elastic IP (similar to static IP?) on an AWS EC2 instance but I am curious about setting a static IP on an AWS RDS Instance. I did not see anywhere on the AWS Dashboard about setting a static IP for my RDS Instance. The reason behind the static IP is so that when the IP that is associated with the endpoint DNS that they provide changes, they wont need to adjust the firewall settings to accommodate this change.
Is it possible to have the port open for only this specific DNS
endpoint that AWS provides? If not, is it possible to set an IP
to static on the RDS instance?
What sort of security concerns are there if they were to completely open port 3306?
Thank you!
You don't need a fixed IP for RDS Instance. When you create a RDS instance AWS service defines a URL for your instance. This URL is fixed. Even in case of IP change the URL will still route to the correct instance.
You can tell your IT team to create a firewall rule in port 3306 for the RDS instance URL and it will work fine.
About the security, the idea is to close the inbound connections on port 3306 to your site. This will restrict anyone trying to connect to your internal instances at the same time that you can connect to all hosts in the internet using this port. There is no need to close all the outbound connections. But...
Is a information security best practice to apply the least privileged access principle. This means: only allow what is specificaly needed. If they open the port for all hosts, maybe in the future, someone can discover a new vulnerability and exploit it, because no one in your IT team will remember why was needed to open the port for all hosts. So.. they keep open only what is needed.

Google Cloud - Adding additional Internal IP to VM

I'm trying to build a webserver in Google Cloud Platform that hosts multiple websites (GBP, IE, FR, DK etc.)
Generally, we assign a range of IPs to the server statically, set the bindings in IIS, then loadbalance using a virtual IP.
It seems near enough impossible to assign another internal IP in GCP. Lots of guides about additional external IPs, but we don't want a public facing webserver like this.
Anybody have any idea on how to add additional internal IPs to a VM / Instance?
Also, I have tried changing the internal address I have assigned to the Instance to static in network adapter settings, next thing I know I can't access my VM for love nor money, had to delete and re-create. If I go into advanced settings to add additional static IPs, w'ere set to DHCP apparently, so can't add additional IPs.
Thanks all.
Answer that I recieved from GCE discussion group, in Google Groups:
"You can add additional internal IP addresses to a VM instance. This is possible by enabling IP forwarding for the VM, creating a static network route, adding appropriate firewall rules, and setting additional internal IP addresses to network adapter of Windows. These steps are described in this article for Linux machines (https://cloud.google.com/compute/docs/networking#set_a_static_target_ip_address). The same steps are valid for Windows VMs. You will need to keep the initial internal IP address, subnet mask, gateway address and DNS settings of the adapter and manually enter them in properties of IPv4 of the network adapter. The below is a screenshot of my configuration on a VM instance (Windows 2008 R2) that perfectly works."
Update:
Now, you can create instances with multiple network interfaces On Google Compute Engine and assign IPs. For more information, refer to this public documentation link. However, currently it has following limitations:
Alias IP ranges are not supported on any network interface on a VM
that has multiple network interfaces enabled.
You cannot modify or delete the network interfaces after the VM has
been created.

Cannot access Google Cloud Compute Instance External IP

I have set up an Google Cloud Compute Instance:
Machine type
n1-standard-1 (1 vCPU, 3.75 GB memory)
CPU platform
Intel Haswell
Zone
us-east1-c
I can ssh in using the external address.
I have installed the vncserver and can access it on port 5901 from localhost as well as the internal IP.
I am trying to access it from the static, external IP address but it is not working.
I have configured the firewall to open to port to 0.0.0.0/0, but it is not reachable.
Can anyone help?
------after further investigation from the tips from the two answers (thanks, both!), I have a partial answer:
The Google Cloud Compute instance was set, by default, to not allow
HTTP traffic. I reset the configuration to allow HTTP traffic. I
then tried the troubleshooting tip to run a small HTTP service in
python. I was able to get a ressponse from the service over the
internet.
The summary of the current situation is as follows:
The external IP address can be reached
It is enabled and working for SSH
It is enabled and working for HTTP
It does not seem to allow traffic from vncserver
Any idea how to configure the compute instance to allow for vncserver traffic?
If you already verified that Google Firewall or your VM are not blocking packets, you must make sure that VNC service is configured to listen on the external IP address.
You can always use a utility like nmap outside Google project to reveal information on the port status.
enable http/https traffic form the firewall as per the need. it will work!!
The Google Cloud Compute instance was set, by default, to not allow HTTP traffic. I reset the configuration to allow HTTP traffic. I then tried the troubleshooting tip to run a small HTTP service in python. I was able to get a response from the service over the internet.
As such, the original question is answered, I can access Google Cloud Compute Instance External IP. My wider issue is still not solved, but I will post a new, more specific question about this issue
TLDR: make sure you are requesting http not https
In my case i was following the link from my CE instance's External Ip property which takes you directly to the https version and i didn't set up https, so that was causing the 'site not found' error.
Create an entry in your local ssh config file as below with mentioned local forward port. In my case its an example of yarn's IP, which I want to access in browser.
Host hadoop
HostName <External-IP>
User <Local-machine-username>
IdentityFile ~/.ssh/<private-key-for-above-user>
LocalForward 8089 <Internal-IP>:8088
In addition to having the firewall rules to allow HTTP traffic in both Google Cloud Platform and within the OS of the instance, make sure you install a web server such as Apache or Nginx.
After installing the web server, you connect to the instance using SSH and verify you do not get a failed connection with the following command:
$ sudo wget http://localhost
If the connection is positive, it means that you can access your external URL:
http://<IP-EXTERNAL-VM>
Usually there are two main things to check.
1. Port
By default, only port 80, 443 and ICMP are exposed. If your server is running on a different port, create a record for the same.
2. Firewall
Make sure you are allowing http and https traffic based on your need.
oua re
For me the problem was that I set up the traffic for the firewall rule to be 'Egress' instead of 'Ingress'.
If anyone already initiated 'https'
just disable it and check again.

VPN Config Google Cloud

i need to know if the following scenario is possible using Google Cloud:
I need to have a IPSec VPN with a partner, the thing is that at their side they will allow only one of my hosts access their network, at their side they configure a ACL as follows: network-object host X.X.X.4.
So, is a must that in the negotiation of phase 2, Google Cloud send as local address the ip number allowed by their X.X.X.4, and not the network X.X.X.0/something, if that happens phase 2 will crash.
Is possible to configure the VPN using this requirement?
Regards,
Will.
You could try creating a /30 network in your project and hosts the VM that you would like to interact with the partner and setup the VPN tunnel
If you have another network, where other VM/Apps exists, setup a cross-vpn between the VPN tunnels in your project, just that they are in different network within the same project.

SSH into GCE VM via web browser with restricted IP addresses

I've setup my VM to use a network only allowing a whitelist of IP addresses on the SSH protocol on port 22.
If I try to SSH into my instance via the web browser within the developer console the connection is correctly refused, as it isn't originating from one of my permitted IP addresses.
I'm curious if there is a way to have my whitelist of IP addresses and still SSH into the VM via the browser. I know I can still connect using gcutil, and it would obviously work if I had the IP address.
Looking at the documentation, it isn't listed as a known issue.
When connecting from Developer Console SSH tool the instance receives connection from Google IP range, I made a test and it was from 74.125.0.0/16 range. You could try to temporary white list this range and see if you can access.
Regards
Paolo