I have a Ubuntu(14.04) VM instance that I can SSH into. It has no iptable rules and ufw disabled. Other VMs in the network are accessible. Outbound requests are timing out. Restarting the VM didn't work.
tl;dr I can't ping google.com from a VM.
Any ideas or suggestions?
Removing the external IP will make the VM unable to make outbound requests. The effect is not immediate.
Related
I’ve a question regarding Compute VM and its associated privileges. I have ‘Owner’ privileges at Project level. I created a VM but was not able to assign an external IP address to it. Upon referring to google cloud docs, it appears that I’ll still be able to connect to this VM using VPN or IAP. Upon clicking the SSH link next to the VM, I see that it uses a Cloud-IAP tunnel but the connection fails.
Here is the error message
External IP address was not found; defaulting to using IAP tunneling.
ERROR: (gcloud.compute.start-iap-tunnel) Error while connecting [4003: u'failed to connect to backend'].
ssh_exchange_identification: Connection closed by remote host
ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].
How do I go about connecting to this VM?
Appreciate your help with this
https://hodari.be/posts/2019_09_30_access_private_gke_nodes_with_ssh/
https://cloud.google.com/iap/docs/using-tcp-forwarding
Firewall rules that are configured to allow access from Cloud IAP's TCP forwarding netblock, 35.235.240.0/20, on all ports of your machine. This ensures that connections are allowed from Cloud IAP's TCP forwarding IP addresses to the TCP port of the admin service on your resource. Note that you might not need to adjust your firewall rules if the default-allow-ssh and default-allow-rdp default rules are applied to ports used for SSH and RDP.
As probably you already have default-allow-ssh instead of trying:
gcloud compute start-iap-tunnel stage-es-kibana 5601 --local-host-port=localhost:5601
jump to port via extra ssh layer:
gcloud compute ssh stage-es-kibana -- -N -L 5601:localhost:5601
or open Google Firewall between host/port stage-es-kibana:5601 and subnet 35.235.240.0/20.
This is a permissions issue.
You are trying to ssh into your vm thru google's IAP proxy.
You don't have permissions to create the tunnel from your computer to the proxy server.
You need have the role "roles/iap.tunnelResourceAccessor" to ssh to your vm:
It seems that the GCP CE requires to initialize SSH and other services after its RUNNING status.
I used a workaround by adding a sleep (60 sec) command, after starting the VM and before SSH using the IAP tunnel.
In my case I solved or worked around it by omitting the --tunnel-through-iap parameter that is passed to gcloud compute ssh.
try open Google Firewall subnet 35.235.240.0/20
I have set up an Google Cloud Compute Instance:
Machine type
n1-standard-1 (1 vCPU, 3.75 GB memory)
CPU platform
Intel Haswell
Zone
us-east1-c
I can ssh in using the external address.
I have installed the vncserver and can access it on port 5901 from localhost as well as the internal IP.
I am trying to access it from the static, external IP address but it is not working.
I have configured the firewall to open to port to 0.0.0.0/0, but it is not reachable.
Can anyone help?
------after further investigation from the tips from the two answers (thanks, both!), I have a partial answer:
The Google Cloud Compute instance was set, by default, to not allow
HTTP traffic. I reset the configuration to allow HTTP traffic. I
then tried the troubleshooting tip to run a small HTTP service in
python. I was able to get a ressponse from the service over the
internet.
The summary of the current situation is as follows:
The external IP address can be reached
It is enabled and working for SSH
It is enabled and working for HTTP
It does not seem to allow traffic from vncserver
Any idea how to configure the compute instance to allow for vncserver traffic?
If you already verified that Google Firewall or your VM are not blocking packets, you must make sure that VNC service is configured to listen on the external IP address.
You can always use a utility like nmap outside Google project to reveal information on the port status.
enable http/https traffic form the firewall as per the need. it will work!!
The Google Cloud Compute instance was set, by default, to not allow HTTP traffic. I reset the configuration to allow HTTP traffic. I then tried the troubleshooting tip to run a small HTTP service in python. I was able to get a response from the service over the internet.
As such, the original question is answered, I can access Google Cloud Compute Instance External IP. My wider issue is still not solved, but I will post a new, more specific question about this issue
TLDR: make sure you are requesting http not https
In my case i was following the link from my CE instance's External Ip property which takes you directly to the https version and i didn't set up https, so that was causing the 'site not found' error.
Create an entry in your local ssh config file as below with mentioned local forward port. In my case its an example of yarn's IP, which I want to access in browser.
Host hadoop
HostName <External-IP>
User <Local-machine-username>
IdentityFile ~/.ssh/<private-key-for-above-user>
LocalForward 8089 <Internal-IP>:8088
In addition to having the firewall rules to allow HTTP traffic in both Google Cloud Platform and within the OS of the instance, make sure you install a web server such as Apache or Nginx.
After installing the web server, you connect to the instance using SSH and verify you do not get a failed connection with the following command:
$ sudo wget http://localhost
If the connection is positive, it means that you can access your external URL:
http://<IP-EXTERNAL-VM>
Usually there are two main things to check.
1. Port
By default, only port 80, 443 and ICMP are exposed. If your server is running on a different port, create a record for the same.
2. Firewall
Make sure you are allowing http and https traffic based on your need.
oua re
For me the problem was that I set up the traffic for the firewall rule to be 'Egress' instead of 'Ingress'.
If anyone already initiated 'https'
just disable it and check again.
How can I troubleshoot GCE firewall issues? We're running some GCE servers and connecting to a non-google network via ipsec using google beta vpn service (although I had the same problem with GCE and my own StrongSwan instance in the past and could never fix it there either).
I'm trying to connect to 192.168.4.176 (a linux box with no firewall running) and I'm pretty sure google is blocking the traffic. The VPN is fine. I can ping 192.168.4.180. But I can't ping 192.168.4.176. And nc 192.168.4.176 22 just times out.
I can run a SSL VPN from a gce instance and can ping 192.168.4.176 without issue.
Here's a screenshot of the GCE network. I also tried routes/firewall rules with 192.168.4.1/24 but those didn't work either for connecting to .176 but .180 was fine. Any ideas on what to try?
Here are the gce network details
Here's the gce vpn screen
Here's the gce vpn detail screen
And from the remote network I can ping my 10.x gce instances from 192.168.4.180 (which I should since I'm allowing that). But I can't ping any gce 10.x addresses from 192.168.4.176 (which I interpret that the google firewall is blocking the traffic even though I have it configured to let it through).
can you confirm that the secret key for the .176 VPN is correctly configured on both ends?
the firewall rule for .176 VPN - is that added in GCE firewall section, mapping the right network where the VPN tunnel was created.
Does the VPN UI status show a Green tick mark for both the tunnels?
You could also View VPN Logs from GCP UI : from the UI Console,left menu Monitoring -> Logs, and then select "Compute Engine"-> "targetVPNgateway" and select the tunnels and "ipsec_events" dropdown. Check the log when you access the .176 VPN to observe the likely packet flow.
I have spun up a micro instance of windows 2008 r2 server with sql server and iis installed.
My security group has three inbound rules:
rdp tcp: 3389 0.0.0.0/0
mssql tcp:1433 0.0.0.0/0
http tcp:80 0.0.0.0/0
outbound is all traffic 0.0.0.0/0
I can rdp into other instances which are on a private cloud which is openstack in my college.
I followed the instructions, de-crypt the password after downloading the pem file. I get an error saying i cannot connect. I used this website: http://www.mynetworktest.com/ports.php to check if the 3389 port was open on my ec2 instance; it says it is not. I tried changing security groups but does not make a difference. The only discrepancy i could determine is when i set up the instance. I have to set 'Auto Assign Public IP' to enable in order to get a public ip address; something which the amazon docs does not clarify.
Am out of ideas, Any help appreciated
It happened to me and this is how I resolved it.
It is likely your windows firewall is restricting incoming RDP traffic. First disable windows firewall totally. If you are able to connect after disabling the firewall, then firewall rules are the issue. Enable firewall and edit firewall rules to allow incoming RDP traffic.
for windows and linux servers check for 2 things to make the remote or ssh working
check for the firewall/iptables
check for the security groups or ports open to what destination.
check for the services and user groups open for communication
check the service.
I started several GCE instances and was unable to connect to even 1 of them using ssh. For debian wheezy instances the ssh server appeared to be not running ("nc IP 22" times out). Even though I enabled ICMP in default network, debian instances did not respond to ping.
CentOS instances responds to ping and I was able to get an ssh banner using nc intermittently. But connecting using ssh command repeatedly timed out.
I suspected a network outage but "gcutil listzones" showed that all the zones I was using, were UP (us-cental)
From https://groups.google.com/d/msg/gce-operations/coBWszq91j4/dRPq5_gJ3t4J:
We're investigating an issue with network connectivity to new Google Compute Engine instances. Currently-running instances are not affected. We will provide more information shortly.