I installed dataiku on GCP instance.
It works perfectly fine on http protocol.
Now I am trying to allow https traffic.
I followed this official doc: https://doc.dataiku.com/dss/latest/installation/custom/advanced-customization.html#configuring-https
But after doing all the mentioned steps, I have an ERR_CONNECTION_REFUSED on my browser when doing: https://MyDataikuInstanceIp:1024
Is something more required on GCP in order to allow https traffic on the instance ?
Thanks.
In order to allow https and http traffic on a GCP instance, you should follow the next steps:
Navigate to Compute Engine > VM Instances.
Select your instance. Go to Edit.
Scroll down and locate Firewalls. Check both "Allow HTTP traffic" and "Allow HTTPS traffic".
Save your instance.
To review whether the firewall rule is enabled or disabled, you can use the following command:
gcloud compute firewall-rules describe [FIREWALL-NAME]
Also, if you have created a network tag in your instance, you will need to associate it to your firewall rule to match the target.
In the following link, you will find more information about how the firewall rules work in GCP
In addition as a best practice check if the firewall on your client is allowing connections through the TCP ports 443,1024 and the certificate from your server domain was allowed in your client.
I have a mongo instance running on a google cloud VM and my application lost access to it overnight. I'm not being able to SSH to it and Cloud console is looking weird.
VM Image: bitnami-mongodb-3-2-1-1-r04-linux-debian-7-x86-64
It first says I don't have permission to access the instance console page. Eventhough I'm the owner of the project and I can see it once I close the modal.
Then when I try to SSH using the built-in SSH tool I first get the following message. I see I have a VPC setup so I'm not really sure if that is actually expected or not.
If I try the alternative method I then get the following:
Does anyone has any hint on what could be the issue?
UPDATE:
VPC Firewall settings are set to allow SSH and the target project is set for it this rule:
I also have an external static IP set for this VM.
Just yesterday I could connect to my mongo instance through port 27017 and it stoped working without touching any GPC configuration.
Based on the information you have provided, it would seem that your GCE VM instance is currently utilizing IAP (Identity-Aware Proxy).
With this in mind, any overviewing the error message you are receiving, it would seem that your firewall rules aren't allowing connections on the SSH port. There should be an ingress rule to allow traffic to the instance on TCP port 22 (SSH) on that VPC network.
Generally, this is automatically created by GCP, on the default network it is typically called "default-allow-ssh", but you can also manually create it in the VPC Network -> Firewall rules tab. Make sure it applies to the instance in question (either through "All targets" or a target tag that matches the instance). You can read more about GCP firewall rules in the documentation.
Likewise, make sure you have an external IP or that you are following one of the options described here.
I am getting the following disconnection issues in the GCP Jupiter notebook.
error code: 4010
and
error code: 1006
Can you please suggest some solution?
As part of the IAP configuration steps, you should create a firewall rule that allows ingress traffic to the SSH port from the IAP address range:
GCP Console => VPC network => Firewall rules => Create Firewall Rule
Name: allow-ingress-from-iap
Direction of traffic: Ingress
Target: All instances in the network
Source filter: IP ranges
Source IP ranges: 35.235.240.0/20
Protocols and ports: select TCP and enter 22 to allow SSH
Identity-Aware Proxy > Doc > Setting up IAP for Compute Engine
The error 1006 appears in the GCP Console UI after 1 hour of inactivity of the SSH session via IAP with VMs with Internal IP only, and this is a session timeout on the Google side.
As #mebius99 has mentioned, IAP (Identity-Aware Proxy) requests come from the IP address range 35.235.240.0/20.
Your network firewall must allow these requests to be able to SSH through IAP.
One way to do that (create a firewall-rule) is to run gcloud compute firewall-rules create command.
To do that, first open the cloud shell on the Google cloud console,
Then once the cloud shell opens up, run the following:
gcloud compute firewall-rules create ssh-ingress-from-iap --allow=tcp:22 --source-ranges 35.235.240.0/20 --network [network-name]
Replace [network-name] with your network name (the default VPC network is named: default)
If the above solution doesn't work (or have a similar firewall rule in place already), consider checking the network tags (on the firewall-rules and the VM). It maybe the case that your firewall-rule is allowing the requests to only certain instances that has some tags and the instance you're trying to SSH into doesn't.
For me the error 1006 was related to system Time. I had changed the system time manually to another time zone. SSH worked when system time was sy
Create a firewall for port 22 and add this IP 35.235.240.0/20
attach it to all VM so you will able to establish connection
I'm deploying a new project on Google Cloud Platform using Django certified by Bitnami that comes with pre-installed Debian 9, Apache, MySQL, Python. My end goal is to build a web application, but nothing is close to production yet and I'm still running on an ephemeral external IP address assigned to the VM instance. So my question is that is it recommended that install an ufw (Uncomplicated Firewall) ?
There's no need to use separate firewall because your instance is already protected by GCP firewall:
GCP firewall blocks all incoming traffic to the instances by default unless explicitly allowed by a firewall rule;
Rules allow incoming traffic from an IP range, a list of protocols (ICMP, TCP and UDP) and a list of ports, and they can be restricted to some instances by using Network tags.
More information you can find at the documentation:
Firewall rules overview
Using firewall rules
VPC network overview
You can check current firewall rules at VPC network -> Firewall rules.
I have 2 Google Compute Engine instances and I want to open port 9090 in both the instances. I think we need to add some firewall rules.
Can you tell me how can I do that?
You need to:
Go to cloud.google.com
Go to my Console
Choose your Project
Choose Networking > VPC network
Choose "Firewall"
Choose "Create Firewall Rule"
To apply the rule to select VM instances, select Targets > "Specified target tags", and enter into "Target tags" the name of the tag. This tag will be used to apply the new firewall rule onto whichever instance you'd like. Then, make sure the instances have the network tag applied.
Set Source IP ranges to allow traffic from all IPs: 0.0.0.0/0
To allow incoming TCP connections to port 9090, in "Protocols and Ports", check “tcp” and enter 9090
Click Create (or click “Equivalent Command Line” to show the gcloud command to create the same rule)
Update Please refer to docs to customize your rules.
Here is the command-line approach to answer this question:
gcloud compute firewall-rules create <rule-name> --allow tcp:9090 --source-tags=<list-of-your-instances-names> --source-ranges=0.0.0.0/0 --description="<your-description-here>"
This will open the port 9090 for the instances that you name. Omitting --source-tags and --source-ranges will apply the rule to all instances. More details are in the Gcloud documentation and the firewall-rule create command manual
The previous answers are great, but Google recommends using the newer gcloud commands instead of the gcutil commands.
PS:
To get an idea of Google's firewall rules, run gcloud compute firewall-rules list and view all your firewall rules
This question is old and Carlos Rojas's answer is good, but I think I should post few things which should be kept in mind while trying to open the ports.
The first thing to remember is that Networking section is renamed to VPC Networking. So if you're trying to find out where Firewall Rules option is available, go look at VPC Networking.
The second thing is, if you're trying to open ports on a Linux VM, make sure under no circumstances should you try to open port using ufw command. I tried using that and lost ssh access to the VM. So don't repeat my mistake.
The third thing is, if you're trying to open ports on a Windows VM, you'll need to create Firewall rules inside the VM also in Windows Firewall along with VPC Networking -> Firewall Rules. The port needs to be opened in both firewall rules, unlike Linux VM. So if you're not getting access to the port from outside the VM, check if you've opened the port in both GCP console and Windows Firewall.
The last (obvious) thing is, do not open ports unnecessarily. Close the ports, as soon as you no longer need it.
I hope this answer is useful.
Creating firewall rules
Please review the firewall rule components [1] if you are unfamiliar with firewall rules in GCP. Firewall rules are defined at the network level, and only apply to the network where they are created; however, the name you choose for each of them must be unique to the project.
For Cloud Console:
Go to the Firewall rules page in the Google Cloud Platform Console.
Click Create firewall rule.
Enter a Name for the firewall rule.
This name must be unique for the project.
Specify the Network where the firewall rule will be implemented.
Specify the Priority of the rule.
The lower the number, the higher the priority.
For the Direction of traffic, choose ingress or egress.
For the Action on match, choose allow or deny.
Specify the Targets of the rule.
If you want the rule to apply to all instances in the network, choose All instances in the network.
If you want the rule to apply to select instances by network (target) tags, choose Specified target tags, then type the tags to which the rule should apply into the Target tags field.
If you want the rule to apply to select instances by associated service account, choose Specified service account, indicate whether the service account is in the current project or another one under Service account scope, and choose or type the service account name in the Target service account field.
For an ingress rule, specify the Source filter:
Choose IP ranges and type the CIDR blocks into the Source IP ranges field to define the source for incoming traffic by IP address ranges. Use 0.0.0.0/0 for a source from any network.
Choose Subnets then mark the ones you need from the Subnets pop-up button to define the source for incoming traffic by subnet name.
To limit source by network tag, choose Source tags, then type the network tags in to the Source tags field. For the limit on the number of source tags, see VPC Quotas and Limits. Filtering by source tag is only available if the target is not specified by service account. For more information, see filtering by service account vs.network tag.
To limit source by service account, choose Service account, indicate whether the service account is in the current project or another one under Service account scope, and choose or type the service account name in the Source service account field. Filtering by source service account is only available if the target is not specified by network tag. For more information, see filtering by service account vs. network tag.
Specify a Second source filter if desired. Secondary source filters cannot use the same filter criteria as the primary one.
For an egress rule, specify the Destination filter:
Choose IP ranges and type the CIDR blocks into the Destination IP ranges field to define the destination for outgoing traffic by IP address ranges. Use 0.0.0.0/0 to mean everywhere.
Choose Subnets then mark the ones you need from the Subnets pop-up button to define the destination for outgoing traffic by subnet name.
Define the Protocols and ports to which the rule will apply:
Select Allow all or Deny all, depending on the action, to have the rule apply to all protocols and ports.
Define specific protocols and ports:
Select tcp to include the TCP protocol and ports. Enter all or a comma delimited list of ports, such as 20-22, 80, 8080.
Select udp to include the UDP protocol and ports. Enter all or a comma delimited list of ports, such as 67-69, 123.
Select Other protocols to include protocols such as icmp or sctp.
(Optional) You can create the firewall rule but not enforce it by setting its enforcement state to disabled. Click Disable rule, then select Disabled.
(Optional) You can enable firewall rules logging:
Click Logs > On.
Click Turn on.
Click Create.
Link:
[1] https://cloud.google.com/vpc/docs/firewalls#firewall_rule_components
You'll need to add a firewall rule to open inbound access to tcp:9090 to your instances. If you have more than the two instances, and you only want to open 9090 to those two, you'll want to make sure that there is a tag that those two instances share. You can add or update tags via the console or the command-line; I'd recommend using the GUI for that if needed because it handles the read-modify-write cycle with setinstancetags.
If you want to open port 9090 to all instances, you can create a firewall rule like:
gcutil addfirewall allow-9090 --allowed=tcp:9090
which will apply to all of your instances.
If you only want to open port 9090 to the two instances that are serving your application, make sure that they have a tag like my-app, and then add a firewall like so:
gcutil addfirewall my-app-9090 --allowed=tcp:9090 --target_tags=my-app
You can read more about creating and managing firewalls in GCE here.
I had the same problem as you do and I could solve it by following #CarlosRojas instructions with a little difference. Instead of create a new firewall rule I edited the default-allow-internal one to accept traffic from anywhere since creating new rules didn't make any difference.
console.cloud.google.com >> select project >> Networking > VPC network >> firewalls >> create firewall.
To apply the rule to VM instances, select Targets, "Specified target tags", and enter into "Target tags" the name of the tag. This tag will be used to apply the new firewall rule onto whichever instance you'd like.
in "Protocols and Ports" enter tcp:9090
Click Save.
Run this command to open port
gcloud compute --project=<project_name> firewall-rules create firewall-rules --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:<port number> --source-ranges=0.0.0.0/0
I had to fix this by decreasing the priority (making it higher). This caused an immediate response. Not what I was expecting, but it worked.