Connection via Cloud Identity-Aware Proxy Failed - google-cloud-platform

I am getting the following disconnection issues in the GCP Jupiter notebook.
error code: 4010
and
error code: 1006
Can you please suggest some solution?

As part of the IAP configuration steps, you should create a firewall rule that allows ingress traffic to the SSH port from the IAP address range:
GCP Console => VPC network => Firewall rules => Create Firewall Rule
Name: allow-ingress-from-iap
Direction of traffic: Ingress
Target: All instances in the network
Source filter: IP ranges
Source IP ranges: 35.235.240.0/20
Protocols and ports: select TCP and enter 22 to allow SSH
Identity-Aware Proxy > Doc > Setting up IAP for Compute Engine
The error 1006 appears in the GCP Console UI after 1 hour of inactivity of the SSH session via IAP with VMs with Internal IP only, and this is a session timeout on the Google side.

As #mebius99 has mentioned, IAP (Identity-Aware Proxy) requests come from the IP address range 35.235.240.0/20.
Your network firewall must allow these requests to be able to SSH through IAP.
One way to do that (create a firewall-rule) is to run gcloud compute firewall-rules create command.
To do that, first open the cloud shell on the Google cloud console,
Then once the cloud shell opens up, run the following:
gcloud compute firewall-rules create ssh-ingress-from-iap --allow=tcp:22 --source-ranges 35.235.240.0/20 --network [network-name]
Replace [network-name] with your network name (the default VPC network is named: default)
If the above solution doesn't work (or have a similar firewall rule in place already), consider checking the network tags (on the firewall-rules and the VM). It maybe the case that your firewall-rule is allowing the requests to only certain instances that has some tags and the instance you're trying to SSH into doesn't.

For me the error 1006 was related to system Time. I had changed the system time manually to another time zone. SSH worked when system time was sy

Create a firewall for port 22 and add this IP 35.235.240.0/20
attach it to all VM so you will able to establish connection

Related

Cannot SSH to google cloud Linux machine

When i attempt to SSH from https://console.cloud.google.com/compute/instances?authuser=0&projec
I get the error:
Connection via Cloud Identity-Aware Proxy Failed
Code: 4010
Reason: destination read failed
Please ensure you can make a proper https connection to the IAP for
TCP hostname: https://tunnel.cloudproxy.app You may be able to connect
without using the Cloud Identity-Aware Proxy.
Though on a seperate machine i am able to login, but Firewall and other settings seem identical ?
What should i do to get in ?
Krgds.
C
This issue is due to the lack of a firewall rule to allow-ingress-from-iap with this IP range 35.235.240.0/20 that needs to be configured when using IAP (Identity-Aware Proxy).
To Allow SSH access to all VM instances in your network, do the following:
1- Open the Firewall Rules page (Navigation menu > VPC network > Firewall) and click Create firewall rule
2- Configure the following settings:
Name: allow-ingress-from-iap
Direction of traffic: Ingress
Target: All instances in the network
Source filter: IP ranges
Source IP ranges: 35.235.240.0/20
Protocols and ports: Select TCP and enter 22 to allow SSH
3- Click Create
My impression is that the root casuse, was the the linux box had run out of hard disk space, causing the issues.
So when i recreated the same machine, with more disk space, the issue was resolved.

Code: 4010 - Connection via Cloud Identity-Aware Proxy Failed

I have seen a similar error on stackoverflow, but with a different code (so maybe it is not the same?). Any how I have been thrown this error spontaneously. Sometimes after 20 seconds of starting my instance (and launching SSH in browser), sometimes after 30 minutes, but it completely shuts down my instance.
Connection via Cloud Identity-Aware Proxy Failed
Code: 4010
Reason: destination read failed
You may be able to connect without using the Cloud Identity-Aware Proxy.
If I click the "Cloud Identity-Aware Proxy" button I am getting:
Connection Failed
We are unable to connect to the VM on port 22. Learn more about possible causes of this issue.
Any idea what is happening? I havn't done any changes in my instance settings for a long time.
The issue regarding the Identity-Aware Proxy(IAP) connection to the instance is due to the lack of a firewall rule allow-ingress-from-iap with this IP ranges 35.235.240.0/20 that needs to be configured when using IAP.
To Allow SSH access to all VM instances in your network, do the following:
1- Open the Firewall Rules page (Navigation menu > VPC network > Firewall) and click Create firewall rule
2- Configure the following settings:
Name: allow-ingress-from-iap
Direction of traffic: Ingress
Target: All instances in the network
Source filter: IP ranges
Source IP ranges: 35.235.240.0/20
Protocols and ports: Select TCP and enter 22 to allow SSH
3- Click Create

GCP instance ubuntu connection refused using ssh and terminal?

I was using digitalocean and want to try out gcp compute instance. I created an ubuntu instance, did cat ~/.ssh/id_rsa.pub in my terminal and added onto the instance. Then I tried ssh james#external ip in my terminal (I'm using mac) but it just hang there.. then a min later, I got Connection refused error. What's wrong?
There are numerous possible reasons for this, but mostly likely you're missing a firewall rule to allow connections from the outside:
gcloud compute firewall-rules create default-allow-ssh --allow tcp:22
If this doesn't help, check out the Troubleshooting SSH article in the GCP docs.
First check your network can communicate to compute engine via simple ping command.
ping <GCE external IP>
or
telnet <GCE external IP> 22
If you getting request timed out then most probably firewall issue. go to cloud console and create/update firewall rule under VPC section. search tcp:22 in firewalls section and edit/create firewall rule (add your IP ranges into source IP range section) for ssh connection.
refer: https://cloud.google.com/sdk/gcloud/reference/compute/firewall-rules/create

Expose ports on google cloud vm

I have two projects on google cloud. First one has been set up 15 hours ago and working fine, port 8080 is expose properly and i can access it.
Right now i'm trying to do absolutely the same with another project. I've created the same instance of vm in there with the same configs, entered the same commands using ssh connection. But i can't connect app to this server.
I've tried to create another instance of the vm on first project and it works, but whatever i create on the second project - i can't get access to it.
I assume, something wrong with the project configs, and therefore no details about VM's contents are provided.
TL;DR - Double check and compare your firewall rules in both the projects. You're most likely missing firewall rules to allow incoming traffic to port 8080 on your instances in the project where it is not working, whereas the other project has these rules configured.
Default Firewall rules
Google Compute Engine firewall by default blocks all ingress traffic (i.e. incoming network traffic) to your Virtual Machines. If your VM is created on the default network (which is usually the case), few ports like 22 (ssh), 3389 (RDP) are allowed.
The default firewall rules are described here.
Opening ports for ingress
The ingress firewall rules are described in detail here.
The recommended approach is to create a firewall rule which allows incoming traffic to your VMs (containing a specific tag you choose) on port 8080 . You can then associate this tag only to the VMs where you will want to allow ingress 8080.
The steps to do this using gcloud:
# Create a new firewall rule that allows INGRESS tcp:8080 with VMs containing tag 'allow-tcp-8080'
gcloud compute firewall-rules create rule-allow-tcp-8080 --source-ranges 0.0.0.0/0 --target-tags allow-tcp-8080 --allow tcp:8080
# Add the 'allow-tcp-8080' tag to a VM named VM_NAME
gcloud compute instances add-tags VM_NAME --tags allow-tcp-8080
# If you want to list all the GCE firewall rules
gcloud compute firewall-rules list
Here is another stack overflow answer which walks you through how to allow ingress traffic on specific ports to your VM using Cloud Console Web UI (in addition to gcloud).
Operating System level firewall rules
Since you have not mentioned if you're using any of the public Google Compute Engine images or Container-Optimized OS images or a custom image of your choice, I also wanted to mention that even if you configure GCE firewall rules to allow incoming traffic to reach your VM, your OS level firewall could still very well reject the traffic.
Google's Container-Optimized OS images have this feature turned on where it blocks all ingress ports except for port 22 (SSH).

Accessing Tensorboard on AWS

I'm trying to access Tensorboard on AWS. Here is my setting :
Tensorboard : tensorboard --host 0.0.0.0 --logdir=train :
Starting TensorBoard b'39' on port 6006 (You can navigate to
http://172.31.18.170:6006)
AWS Security groups (in):
HTTPS TCP 443 0.0.0.0/0
Custom_TCP TCP 6006 0.0.0.0/0
However connecting to ec2-blabla.us-west-1.compute.amazonaws.com:6006 I can't see anything, I basically can't connect.
Do you have any idea?
You can use ssh tunneling technique.
In your terminal:
ssh -i /path/to/your/AWS/key/file -NL 6006:localhost:6006 user#host
where:
user and host: your aws ec2 user and instance specific.
-N: don't execute a remote command (just forward ports)
-L: [bind_address:]port:host:hostport
After that, browse to http://localhost:6006/
Run tensorboard in your ec2 terminal (you can custom logdir and port)
tensorboard --logdir=data/model --port=8080
Find your workstations public ip (a.b.c.d) address by visiting http://ip4.me/
Access the security group configuration assigned to your EC2 and add a custom TCP rule to your inbound traffic.
Outbound should be set to allow traffic from tensorboard port. (In this case 8080). Or you just allow all outgoing traffic from your EC2 instance
Protocol Port Range Destination Description
All traffic All All 0.0.0.0/0
Use your public DNS to access tensorboard from your workstation
http://ec2-xx-xxx-xx-xx.compute-1.amazonaws.com:8080/
Fast (but unsecure) solution:
Run:
tensorboard --logdir=/training --host=0.0.0.0 --port=8080
on your AWS instance.
Make sure that both your inbound and outbound rules on AWS console (control center) are as unrestricted as possible (allow all types, all ports etc.). However, keep in mind that this solution is not recommendable for environments requiring security (in our case, we didn't consider security for training an NN).
An attempt to explain why this works: when the policy is set as described, AWS still seems to prohibit inbound/outbound connections on the standard tensorboard port 6006. This does not seem to apply to the port 8080.
Long (but more secure) solution:
See: https://blog.altoros.com/getting-started-with-a-cpu-enabled-tensorflow-instance-on-aws.html
(provides explanations for setting ports correctly on AWS)
I managed to set it up like this:
Go to security groups in your ec2 console:
Choose the relevant security group in the table, click edit.
Add a rule like this:
Start tensorboard: tensorboard --logdir tf_summary/ --port 8080
Find out the URL of your instance and visit http://yourURL:8080
Simply run the tensorboard without the host parameter (which poses restrictions)
tensorboard --logdir XXX --port 6006
I suffered from the same problem for several days.
Fortunately I solved this issue by adding rule on "AWS Outbound rule" as if I had added "AWS Inbound rule".
Regardless of this setting, it works at home.
The same error is still happening only in the company.