What can be the solution to error code 1006 on GCP? - google-cloud-platform

We are trying to access our GCP remote instance, it is ubuntu 16.04.
It shows error code 1006, as shown in the image. We tried solution mentioned here but we are still getting the same error.
While accessing it through putty it shows:
Network error: Connection time out

Your custom SSH firewall rule doesn't allow traffic from Google services. SSH connections from the Google Cloud console are refused if custom firewall rules do not allow connections from IAP or Google's IP address range.
To resolve this issue, do one of the following:
If you use Identity-Aware Proxy (IAP) for TCP forwarding, update your custom firewall rule to accept traffic from IAP, then check your IAM permissions.
Update your custom firewall rule to allow traffic from 35.235.240.0/20, the IP address range that IAP uses for TCP forwarding. For more information, see Create a firewall rule.
Grant permissions to use IAP TCP forwarding, if you haven't already done so.
If you don't use IAP update your custom firewall rule to allow traffic from Google's entire IP range.
Update your custom firewall rule to allow traffic from Google IP addresses. For more information, see Updating firewall rules.
As #Kolban suggested you can check this documentation for troubleshooting SSH for additional information.

Related

Cannot SSH to google cloud Linux machine

When i attempt to SSH from https://console.cloud.google.com/compute/instances?authuser=0&projec
I get the error:
Connection via Cloud Identity-Aware Proxy Failed
Code: 4010
Reason: destination read failed
Please ensure you can make a proper https connection to the IAP for
TCP hostname: https://tunnel.cloudproxy.app You may be able to connect
without using the Cloud Identity-Aware Proxy.
Though on a seperate machine i am able to login, but Firewall and other settings seem identical ?
What should i do to get in ?
Krgds.
C
This issue is due to the lack of a firewall rule to allow-ingress-from-iap with this IP range 35.235.240.0/20 that needs to be configured when using IAP (Identity-Aware Proxy).
To Allow SSH access to all VM instances in your network, do the following:
1- Open the Firewall Rules page (Navigation menu > VPC network > Firewall) and click Create firewall rule
2- Configure the following settings:
Name: allow-ingress-from-iap
Direction of traffic: Ingress
Target: All instances in the network
Source filter: IP ranges
Source IP ranges: 35.235.240.0/20
Protocols and ports: Select TCP and enter 22 to allow SSH
3- Click Create
My impression is that the root casuse, was the the linux box had run out of hard disk space, causing the issues.
So when i recreated the same machine, with more disk space, the issue was resolved.

ERR_CONNECTION_REFUSED when allowing https traffic to dataiku instance on GCP

I installed dataiku on GCP instance.
It works perfectly fine on http protocol.
Now I am trying to allow https traffic.
I followed this official doc: https://doc.dataiku.com/dss/latest/installation/custom/advanced-customization.html#configuring-https
But after doing all the mentioned steps, I have an ERR_CONNECTION_REFUSED on my browser when doing: https://MyDataikuInstanceIp:1024
Is something more required on GCP in order to allow https traffic on the instance ?
Thanks.
In order to allow https and http traffic on a GCP instance, you should follow the next steps:
Navigate to Compute Engine > VM Instances.
Select your instance. Go to Edit.
Scroll down and locate Firewalls. Check both "Allow HTTP traffic" and "Allow HTTPS traffic".
Save your instance.
To review whether the firewall rule is enabled or disabled, you can use the following command:
gcloud compute firewall-rules describe [FIREWALL-NAME]
Also, if you have created a network tag in your instance, you will need to associate it to your firewall rule to match the target.
In the following link, you will find more information about how the firewall rules work in GCP
In addition as a best practice check if the firewall on your client is allowing connections through the TCP ports 443,1024 and the certificate from your server domain was allowed in your client.

Lost access to Mongo running on Google Cloud VM and can't ssh to it

I have a mongo instance running on a google cloud VM and my application lost access to it overnight. I'm not being able to SSH to it and Cloud console is looking weird.
VM Image: bitnami-mongodb-3-2-1-1-r04-linux-debian-7-x86-64
It first says I don't have permission to access the instance console page. Eventhough I'm the owner of the project and I can see it once I close the modal.
Then when I try to SSH using the built-in SSH tool I first get the following message. I see I have a VPC setup so I'm not really sure if that is actually expected or not.
If I try the alternative method I then get the following:
Does anyone has any hint on what could be the issue?
UPDATE:
VPC Firewall settings are set to allow SSH and the target project is set for it this rule:
I also have an external static IP set for this VM.
Just yesterday I could connect to my mongo instance through port 27017 and it stoped working without touching any GPC configuration.
Based on the information you have provided, it would seem that your GCE VM instance is currently utilizing IAP (Identity-Aware Proxy).
With this in mind, any overviewing the error message you are receiving, it would seem that your firewall rules aren't allowing connections on the SSH port. There should be an ingress rule to allow traffic to the instance on TCP port 22 (SSH) on that VPC network.
Generally, this is automatically created by GCP, on the default network it is typically called "default-allow-ssh", but you can also manually create it in the VPC Network -> Firewall rules tab. Make sure it applies to the instance in question (either through "All targets" or a target tag that matches the instance). You can read more about GCP firewall rules in the documentation.
Likewise, make sure you have an external IP or that you are following one of the options described here.

GCP Identity Aware Proxy won't recognize my created Firewall Rule for allowing access to the ip range '35.235.240.0/20"

I am trying to setup Identity Aware Proxy (IAP) for a particular vm on GCP and I have setup the firewall rule to allow access from the ip range of "35.235.240.0/20" but get the error as seen in the image below:
and but the firewall rule isn't being recognized by IAP, as seen below this rule has been added:
Also note that I am using the free GCP $300 account to set this up, so is there a restriction. So what am I missing?
When you use IAP for the first time, there are misunderstandings
ssh command doesn't work alone. You need to create an IAP tunnel before, of course on the port 22 of the target instance
The easiest way is to use the gcloud command gcloud compute ssh <INSTANCE NAME> in your terminal
If you prefer a new browser windows, use the SSH button on the console
CAUTION
The 2 last solutions work as-is if your compute engine doesn't have public IP. In the other case:
Through the console, and the ssh button, you can't!
With the gcloud command, force gcloud to use the IAP tunnel by adding the --tunnel-through-iap param like this
gcloud compute ssh <INSTANCE NAME> --tunnel-through-iap
EDIT
On the IAP page, and on the ssh and http tab you can see a yellow warning sign because your firewall rule is not compliant.
Actually, IAP checks if the firewall rule for IAP allows ALL the tcp port. If not, you have a warning.
At the end, it's not a problem, if you only need to use IAP for the port 22 and 3389 (for example) you can only allows these port and the IAP tunnel will work only for these 2 ports. You will continue to have the warning, but don't care of it, it works on what you want!!

How can I set SSH firewall rule on Google VM so that only my office computers can access the VM over SSH?

In last few days my Google VM is continuously being compromised, I have received warning and faced suspension of VM by Google saying "cryptocurrency mining activities was found on VM". I suspect someone has hacked my VM and doing this activity. So, now I want to create a new VM with secure SSH firewall such that only limited computers can access the VM.
I have tried setting the IP of my office routers on firewall ssh allow rule, but after setting this rule also SSH connection to VM do get established from other IP addresses. I just want to specify two IPs in firewall rule but it expects IP ranges in CIDR format (with which I am not clear).
I have also found some suggestions that I should change the ssh port of the VM.
Can anybody please explain how can I restrict the access to my Google VM to only a specific set of computers when this computers are connected to a router and external IP is same for all i.e. of router?
Thanks
I understand you want to create a new VM with secure firewall SSH and want to restrict and allow access from particular IP addresses of your office router.
To do that you can create firewall rules as explained here 1. To manage the access for a specific instance, I recommend you to use Network Tags for firewall rules 2.
Going back to your concern, that SSH connection to VM do get established from other IP addresses even when you create the firewall rule for the specific IP address. The reason for that might be due to this:
Every project you create in GCP comes with the default firewall rules.
So there might be one default-allow-ssh rule which you need to block, I guess that might be causing the issue. Note that the default network includes some additional rules that override this one, allowing certain types of incoming traffic. See the attached link[3][4] for more details.
[3]https://cloud.google.com/vpc/docs/firewalls#default_firewall_rules
[4]https://cloud.google.com/vpc/docs/firewalls#more_rules_default_vpc
You can also add guest-level firewall rule using for example "iptables" to add another security level to your VM instance. However, GCP project-level firewall rule takes care of inspecting network traffic before it goes to your VM instances. Operating system Firewall blocks all internet traffic to any port 22.
In order to allow a specific address to be able to connect on your VM instance, you may add a CIDR of /32 on the "IP ranges" value of your "default-allow-ssh" GCP firewall rule. For example, 45.56.122.7/32 and 208.43.25.31/32.