Google Compute Engine newbie here.
I'm following along with the bookshelf tutorial: https://cloud.google.com/nodejs/tutorials/bookshelf-on-compute-engine
But run into a problem. When I try to view my application on http://[YOUR_INSTANCE_IP]:8080 with my external IP
Nothing shows up. I've tried running the tutorial again and again, but still same problem avails.
EDIT:
My firewall rules: http://i.imgur.com/gHyvtie.png
My VM instance:
http://i.imgur.com/mDkkFRW.png
VM instance showing the correct networking tags:
http://i.imgur.com/NRICIGl.png
Going to http://35.189.73.115:8080/ in my web browser still fails to show anything. Says "This page isn't working"
TL;DR - You're most likely missing firewall rules to allow incoming traffic to port 8080 on your instances.
Default Firewall rules
Google Compute Engine firewall by default blocks all ingress traffic (i.e. incoming network traffic) to your Virtual Machines. If your VM is created on the default network (which is usually the case), few ports like 22 (ssh), 3389 (RDP) are allowed.
The default firewall rules are described here.
Opening ports for ingress
The ingress firewall rules are described in detail here.
The recommended approach is to create a firewall rule which allows incoming traffic to your VMs (containing a specific tag you choose) on port 8080 . You can then associate this tag only to the VMs where you will want to allow ingress 8080.
The steps to do this using gcloud:
# Create a new firewall rule that allows INGRESS tcp:8080 with VMs containing tag 'allow-tcp-8080'
gcloud compute firewall-rules create rule-allow-tcp-8080 --source-ranges 0.0.0.0/0 --target-tags allow-tcp-8080 --allow tcp:8080
# Add the 'allow-tcp-8080' tag to a VM named VM_NAME
gcloud compute instances add-tags VM_NAME --tags allow-tcp-8080
# If you want to list all the GCE firewall rules
gcloud compute firewall-rules list
Here is another stack overflow answer which walks you through how to allow ingress traffic on specific ports to your VM using Cloud Console Web UI (in addition to gcloud).
PS: These are also part of the steps in the tutorial you linked.
# Add the 'http-server' tag while creating the VM
gcloud compute instances create my-app-instance \
--image=debian-8 \
--machine-type=g1-small \
--scopes userinfo-email,cloud-platform \
--metadata-from-file startup-script=gce/startup-script.sh \
--zone us-central1-f \
--tags http-server
# Add firewall rules to allow ingress tcp:8080 to VMs with tag 'http-server'
gcloud compute firewall-rules create default-allow-http-8080 \
--allow tcp:8080 \
--source-ranges 0.0.0.0/0 \
--target-tags http-server \
--description "Allow port 8080 access to http-server"
Related
I am running Ubuntu 18.04 in Container instances in Private Virtual Network. The container does not have access to the internet. How to enable access to specific URL on the internet?
Yes romanzdk, You are in right direction, Seems some corporate firewall rules do not allow connection to the outside world.
By default, Azure Firewall denies (blocks) inbound and outbound
traffic.
You can Define a use-defined route on the ACI subnet, to divert traffic to the Azure firewall.set the next hop type to VirtualAppliance, and pass the firewall's private IP address as the next hop address.
az network route-table route create \
--resource-group $RESOURCE_GROUP_NAME \
--name DG-Route \
--route-table-name Firewall-rt-table \
--address-prefix 0.0.0.0/0 \
--next-hop-type VirtualAppliance \
--next-hop-ip-address $FW_PRIVATE_IP
FW_PRIVATE_IP="$(az network firewall ip-config list \
--resource-group $RESOURCE_GROUP_NAME \
--firewall-name myFirewall \
--query "[].privateIpAddress" --output tsv)"
Also you can create a NAT rule on the firewall to translate and filter inbound internet traffic to the application container.
For more information how to outbound and inbound traffic to a container group by overcoming firewall refer this Microsoft Document
Hi I was able to configure the haproxy ingress for a custom TCP port (RabbitMQ), using helm with custom values:
# ha-values.yaml
controller:
ingressClass: haproxy
config:
whitelist-source-range: 251.161.180.161
# use-proxy-protocol: "true"
# TCP service key:value pairs
# <port>: <namespace>/<servicename>:<portnumber>[:[<in-proxy>][:<out-proxy>]]
# https://haproxy-ingress.github.io/docs/configuration/command-line/#tcp-services-configmap
tcp:
15672: "default/rabbitmq-bugs:15672"
5672: "default/rabbitmq-bugs:5672"
Installed helm with
helm install haproxy-ingress haproxy-ingress/haproxy-ingress \
--create-namespace --namespace=ingress-controller \
--values yaml/ha-values.yaml
I published on Digital Ocean, so a LoadBalancer was started, and the port 15672 correctly forwaded to the internal rabbitmq kubernetes service.
I was not able to make the whitelist option works.
The service was always reachable.
I also try enabling proxy protocol on both load balancer and haproxy, but still the whitelist didn't take place.
Seems like the whitelist option doesn't work for TCP filtering.
Has anyone succeded in make a custom TCP port whitelisting?
Thanks.
I've deployed Azure Front Door in the front of Application Gateway.
Now I want to route all traffics through Front Door and restrict direct access to Application Gateway's public IP address.
How to do that?
Here's what I'm trying to do
I've got the answer from Microsoft Azure Support.
I needed to add a Network Security Group(NSG) and link Application Gateway Subnet to it.
NSG inbound rules:
Source: Service Tag
Source service tag: AzureFrontDoor.Backend
Source Port ranges: *
Destination: Any
Destination port ranges: *
Protocol: Any
Action: Allow
Priority: 200
Source: Service Tag
Source service tag: GatewayManager
Source Port ranges: *
Destination: Any
Destination port ranges: 65200-65535
Protocol: Any
Action: Allow
Priority: 300
Source: Service Tag
Source service tag: VirtualNetwork
Source Port ranges: *
Destination: Any
Destination port ranges: *
Protocol: Any
Action: Allow
Priority: 400
Source: Service Tag
Source service tag: AzureLoadBalancer
Source Port ranges: *
Destination: Any
Destination port ranges: *
Protocol: Any
Action: Allow
Priority: 500
Source: Any
Source Port ranges: *
Destination: Any
Destination port ranges: *
Protocol: Any
Action: Deny
Priority: 600
Here's how my NSG looks like
From the Microsoft docs, these are the Network Security Group rules attached to the App Gateway subnet you need:
Azure CLI example:
# Set up reusable variables
app="myapp"; echo $app
env="prod"; echo $env
l="eastus2"; echo $l
tags="env=$env app=$app"; echo $tags
app_rg="rg-$app-$env"; echo $app_rg
agic_nsg_n="nsg-agic-$app-$env"; echo $agic_nsg_n
# Creates an AGW NSG with Default rules
az network nsg create \
--resource-group $app_rg \
--name $agic_nsg_n \
--location $l \
--tags $tags
# AllowGatewayManagerInbound
az network nsg rule create \
--name AllowGatewayManagerInbound \
--direction Inbound \
--resource-group $app_rg \
--nsg-name $agic_nsg_n \
--priority 300 \
--destination-port-ranges 65200-65535 \
--protocol TCP \
--source-address-prefixes GatewayManager \
--destination-address-prefixes "*" \
--access Allow
# AllowAzureFrontDoor.BackendInbound
az network nsg rule create \
--name AllowAzureFrontDoor.Backend \
--direction Inbound \
--resource-group $app_rg \
--nsg-name $agic_nsg_n \
--priority 200 \
--destination-port-ranges 443 80 \
--protocol TCP \
--source-address-prefixes AzureFrontDoor.Backend \
--destination-address-prefixes VirtualNetwork \
--access Allow
The assumptions are:
Incoming traffic from Azure Front Door is either through port 80 HTTP or 443 HTTPs. In case you require, update the ports or use Any.
I have an Azure Kubernetes Service behind the Application Gateway configured as an Application Gateway Ingress Controller (AGIC), hence the destination is VirtualNetwork. Again, based on your specific scenario you could update it or leave it as Any.
Here is also a complete GitHub code example within the Azure directory.
Questions from Comments:
I dont understand how this prevents anyone other than FD from accessing the AKS apps via the AG public IP address though. Could you please clarify? #AndyMoose
NSG rules work as follows: based on rule priority, incoming requests will be evaluated against NSG rules, if the request matches the NSG rule the NSG rule applies its Action (Allow or Deny). If the request does not match the rule, it evaluates the next rule. For example:
If you or anyone attempts to access the Azure Application Gateway (agw) public ip (pip) it will check the NSG rules as follows:
200: your request does not match since the incoming request is not coming from the AzureFrontDoor.Backend
300: your request does not match since the incoming request is not coming from the GatewayManager
65000: your request does not match since the incoming request is not coming from the within the VirtualNetwork
65001: your request does not match since the incoming request is not coming from the within AzureLoadBalancer
65500: your request matches the rule since the NSG rules accepts all incoming sources, ports, protocols. Therefore, the NSG rule applies its action (Deny)
I created a VM ScaleSet from a custom image where Docker is pre-installed. For testing, I just run on all available VMs this command: sudo docker container run -d -p 80:80 seqvence/static-site (just showing a simple static site on port 80).
However, I first created a healthProbe (just checking for tcp:80). Then I created a loadbalancing rule for port:80 -> backend port:80. And of course my LoadBalancer has a backend pool containing my VMs of my ScaleSet.
But when I now navigate to myvmss.westeurope.cloudapp.azure.com I get ERR_CONNECTION_TIMED_OUT
What am I missing?
Port 80 was blocked by Network security Group.
How to allow it: https://blogs.msdn.microsoft.com/pkirchner/2016/02/02/allow-incoming-web-traffic-to-web-server-in-azure-vm/
SITUATION:
I am following this tutorial.
When I get to the part where I create an instance and I execute the necessary commands, I get to the following:
To see the application running, go to http://[YOUR_INSTANCE_IP]:8080,
where [YOUR_INSTANCE_IP] is the external IP address of your instance.
PROBLEM:
The page deosn't load. I get the following error message:
This site can’t be reached
QUESTION:
What could have gone wrong ?
All previous steps worked perfectly and I was able to access my website locally.
I waited for the Compute Engine instance to be ready by checking:
gcloud compute instances get-serial-port-output my-app-instance --zone us-central1-f
and although I reproduced all the steps twice, I am still met with the error message.
Something must be missing.
EDIT:
My firewall rules:
I guess you don't apply firewall tag to instance ?
First, you can check your compute instences tags.
gcloud compute instances describe my-app-instance
In your example , you should see http-server in tags-items, like follows
tags:
fingerprint: xxxxxxx
items:
- http-server
- https-server
If not exist, you should add the tags to an existing VM instance, use this gcloud command:
gcloud compute instances add-tags [YOUR_INSTANCE_NAME] --tags http-server,https-server
To add the tags at the time of the instance creation, include that flag in your statement:
gcloud compute instances create [YOUR_INSTANCE_NAME] --tags http-server,https-server
If your code and firewall rules are correct then it's highly possible that you are trying to connect to wrong IP. You should be using external IP, not internal one which you get using ifconfig, you can get your external IP at whatsmyip.com
I will suggest looking into this step:
gcloud compute instances create my-app-instance \
--image-family=debian-9 \
--image-project=debian-cloud \
--machine-type=g1-small \
--scopes userinfo-email,cloud-platform \
--metadata app-location=$BOOKSHELF_DEPLOY_LOCATION \
--metadata-from-file startup-script=gce/startup-script.sh \
--zone us-central1-f \
--tags http-server
Please ensure the instance is created with the http-server tag
Otherwise, the firewall rules will not take effect on your instance
gcloud compute firewall-rules create default-allow-http-8080 \
--allow tcp:8080 \
--source-ranges 0.0.0.0/0 \
--target-tags http-server \
--description "Allow port 8080 access to http-server"
First, check if the firewall settings are correct as the others had mentioned.
Second, I was having the same problem and solve it by selecting on the Network Service Tier section the "Standard" option instead of the "Premium" one.
Third, check if there is another application running on the same port using the command:
netstat -tulpn
Which should return something like:
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
In my case it was not working because I had two applications running on the same port.