ERR_CONNECTION_REFUSED when allowing https traffic to dataiku instance on GCP - google-cloud-platform

I installed dataiku on GCP instance.
It works perfectly fine on http protocol.
Now I am trying to allow https traffic.
I followed this official doc: https://doc.dataiku.com/dss/latest/installation/custom/advanced-customization.html#configuring-https
But after doing all the mentioned steps, I have an ERR_CONNECTION_REFUSED on my browser when doing: https://MyDataikuInstanceIp:1024
Is something more required on GCP in order to allow https traffic on the instance ?
Thanks.

In order to allow https and http traffic on a GCP instance, you should follow the next steps:
Navigate to Compute Engine > VM Instances.
Select your instance. Go to Edit.
Scroll down and locate Firewalls. Check both "Allow HTTP traffic" and "Allow HTTPS traffic".
Save your instance.
To review whether the firewall rule is enabled or disabled, you can use the following command:
gcloud compute firewall-rules describe [FIREWALL-NAME]
Also, if you have created a network tag in your instance, you will need to associate it to your firewall rule to match the target.
In the following link, you will find more information about how the firewall rules work in GCP
In addition as a best practice check if the firewall on your client is allowing connections through the TCP ports 443,1024 and the certificate from your server domain was allowed in your client.

Related

What can be the solution to error code 1006 on GCP?

We are trying to access our GCP remote instance, it is ubuntu 16.04.
It shows error code 1006, as shown in the image. We tried solution mentioned here but we are still getting the same error.
While accessing it through putty it shows:
Network error: Connection time out
Your custom SSH firewall rule doesn't allow traffic from Google services. SSH connections from the Google Cloud console are refused if custom firewall rules do not allow connections from IAP or Google's IP address range.
To resolve this issue, do one of the following:
If you use Identity-Aware Proxy (IAP) for TCP forwarding, update your custom firewall rule to accept traffic from IAP, then check your IAM permissions.
Update your custom firewall rule to allow traffic from 35.235.240.0/20, the IP address range that IAP uses for TCP forwarding. For more information, see Create a firewall rule.
Grant permissions to use IAP TCP forwarding, if you haven't already done so.
If you don't use IAP update your custom firewall rule to allow traffic from Google's entire IP range.
Update your custom firewall rule to allow traffic from Google IP addresses. For more information, see Updating firewall rules.
As #Kolban suggested you can check this documentation for troubleshooting SSH for additional information.

AWS EC2 instance "This site can't be reached", though I do have the ports 80 and 443 open

I have been looking for help with this problem, and the answers just say to add inbound rules to the security group. Well, I have done those and I am still unable to access my website from the public DNS (just putting that into the url box and navigating to it). There are multiple port 22 inbound rules for the people accessing my server, and the outbound rule is just "All traffic".
I've had this problem running Wordpress on EC2 instances. Things I'd try:
Access the instance via ssh. Check out https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html
If you're accessing through ssh, maybe it's because your disk is full. To check this you can run df -h on your Amazon EC2 server.
I tried accessing my newly setup AWS EC2 Instance and I had this same issue, I later realised I was accessing the public DNS via HTTPS which had not been set up. when I changed the url to use HTTP it worked. Ensure to configure HTTP in the security group.

Connection via Cloud Identity-Aware Proxy Failed

I am getting the following disconnection issues in the GCP Jupiter notebook.
error code: 4010
and
error code: 1006
Can you please suggest some solution?
As part of the IAP configuration steps, you should create a firewall rule that allows ingress traffic to the SSH port from the IAP address range:
GCP Console => VPC network => Firewall rules => Create Firewall Rule
Name: allow-ingress-from-iap
Direction of traffic: Ingress
Target: All instances in the network
Source filter: IP ranges
Source IP ranges: 35.235.240.0/20
Protocols and ports: select TCP and enter 22 to allow SSH
Identity-Aware Proxy > Doc > Setting up IAP for Compute Engine
The error 1006 appears in the GCP Console UI after 1 hour of inactivity of the SSH session via IAP with VMs with Internal IP only, and this is a session timeout on the Google side.
As #mebius99 has mentioned, IAP (Identity-Aware Proxy) requests come from the IP address range 35.235.240.0/20.
Your network firewall must allow these requests to be able to SSH through IAP.
One way to do that (create a firewall-rule) is to run gcloud compute firewall-rules create command.
To do that, first open the cloud shell on the Google cloud console,
Then once the cloud shell opens up, run the following:
gcloud compute firewall-rules create ssh-ingress-from-iap --allow=tcp:22 --source-ranges 35.235.240.0/20 --network [network-name]
Replace [network-name] with your network name (the default VPC network is named: default)
If the above solution doesn't work (or have a similar firewall rule in place already), consider checking the network tags (on the firewall-rules and the VM). It maybe the case that your firewall-rule is allowing the requests to only certain instances that has some tags and the instance you're trying to SSH into doesn't.
For me the error 1006 was related to system Time. I had changed the system time manually to another time zone. SSH worked when system time was sy
Create a firewall for port 22 and add this IP 35.235.240.0/20
attach it to all VM so you will able to establish connection

Access localhost on Google Cloud instance using External IP

There are many similar questions to this on SO, but none of the solutions I saw really solved my issue completely. I'm doing test runs for a website framework hosted on the Google Cloud Platform.
By default, the website is hosted on http://localhost:2800 And I know the external IP of the instance I'm running it on. How can I access the hosted website through a browser on my local machine? Do I use virtual hosts / port forwarding etc.?
go to your VPC firewall
https://console.cloud.google.com/networking/firewalls
and create a firewall rule to allow traffic on your desired tcp port
Create a Firewall Rule for SQL Server
Configure a firewall rule to allow traffic on port 1433 so other clients can connect to the newly created SQL Server instance over the public internet:
In the Developers Console main menu, go to the Firewall rules section.
OPEN THE FIREWALL RULES
Click the Add firewall rule button.
Name the new firewall rule allow-tcp-1433.
Set Source Filter to IP Ranges.
For Source IP Ranges enter 0.0.0.0/0. This value allows access by all IP addresses.
Warning: This configuration leaves your SQL Server instance open to traffic from everyone, everywhere. It is used only for demonstration purposes. In production environments, restrict access to only those IP addresses that need access.
For Allowed protocols and ports enter tcp:1433.
Click the Create button to create the firewall rule.
Set firewall rules for you google cloud project with following properties:
Target: all instances
Direction: ingress
Source IP ranges: 0.0.0.0/0
Ports and protocols: allow all
Then Depending on your framework, set allowed_host to externalIP or "*" .
For example - In Django, in settings.py set ALLOWED_HOSTS = ["*"]
Now run server on specific 0.0.0.0:[your_port]
For example in django - Python manage.py runserver 0.0.0.0:8000
After this note down you instance external IP address and then in your browser :- goto
[external-IP:[your_port]]
you have to go VPC network, then add firewall to allow your port. then don't forget to select [All intances in the network] (see pic). because, by default its value is [Spesified by tags].
and you can access that instance to its External IP
Try your [externalip]:[port] This worked for me in Amazom ec2.
example: 31.181.171.141:2800

Expose ports on google cloud vm

I have two projects on google cloud. First one has been set up 15 hours ago and working fine, port 8080 is expose properly and i can access it.
Right now i'm trying to do absolutely the same with another project. I've created the same instance of vm in there with the same configs, entered the same commands using ssh connection. But i can't connect app to this server.
I've tried to create another instance of the vm on first project and it works, but whatever i create on the second project - i can't get access to it.
I assume, something wrong with the project configs, and therefore no details about VM's contents are provided.
TL;DR - Double check and compare your firewall rules in both the projects. You're most likely missing firewall rules to allow incoming traffic to port 8080 on your instances in the project where it is not working, whereas the other project has these rules configured.
Default Firewall rules
Google Compute Engine firewall by default blocks all ingress traffic (i.e. incoming network traffic) to your Virtual Machines. If your VM is created on the default network (which is usually the case), few ports like 22 (ssh), 3389 (RDP) are allowed.
The default firewall rules are described here.
Opening ports for ingress
The ingress firewall rules are described in detail here.
The recommended approach is to create a firewall rule which allows incoming traffic to your VMs (containing a specific tag you choose) on port 8080 . You can then associate this tag only to the VMs where you will want to allow ingress 8080.
The steps to do this using gcloud:
# Create a new firewall rule that allows INGRESS tcp:8080 with VMs containing tag 'allow-tcp-8080'
gcloud compute firewall-rules create rule-allow-tcp-8080 --source-ranges 0.0.0.0/0 --target-tags allow-tcp-8080 --allow tcp:8080
# Add the 'allow-tcp-8080' tag to a VM named VM_NAME
gcloud compute instances add-tags VM_NAME --tags allow-tcp-8080
# If you want to list all the GCE firewall rules
gcloud compute firewall-rules list
Here is another stack overflow answer which walks you through how to allow ingress traffic on specific ports to your VM using Cloud Console Web UI (in addition to gcloud).
Operating System level firewall rules
Since you have not mentioned if you're using any of the public Google Compute Engine images or Container-Optimized OS images or a custom image of your choice, I also wanted to mention that even if you configure GCE firewall rules to allow incoming traffic to reach your VM, your OS level firewall could still very well reject the traffic.
Google's Container-Optimized OS images have this feature turned on where it blocks all ingress ports except for port 22 (SSH).