How to open a port or all ports for Google Cloud Compute Engine

6
votes

I have an IOTA IRI instance running on a VM in GCP compute engine. The instance is using port 14265 to communicate, and checking it locally by doing something like curl http://localhost:14265 does respond.

I want to open this port to outside of the vm, so I set up a static IP, and a firewall rule to allow tcp:14265; udp:14265 and still the port is not responding.

I even tried allowing all by doing: enter image description here

But no luck. There is no port open except for 22 for ssh (looked in a port scanner)

I am aware it feels like a duplicate of How to open a specific port such as 9090 in Google Compute Engine, but I did try those answers and they didn't solve it for me.

EDIT:

Running the two commands I was asked to run in an answer:

D:\Downloads> gcloud compute networks list
NAME     MODE  IPV4_RANGE  GATEWAY_IPV4
default  auto

D:\Downloads>gcloud compute instances describe instance-1 --zone europe-west1-b
canIpForward: false
cpuPlatform: Intel Sandy Bridge
creationTimestamp: '2017-08-22T09:33:12.240-07:00'
description: ''
disks:
- autoDelete: true
  boot: true
  deviceName: instance-1
  index: 0
  interface: SCSI
  kind: compute#attachedDisk
  licenses:
  - https://www.googleapis.com/compute/v1/projects/ubuntu-os-cloud/global/licenses/ubuntu-1604-xenial
  mode: READ_WRITE
  source: https://www.googleapis.com/compute/v1/projects/iota-177616/zones/europe-west1-b/disks/instance-1
  type: PERSISTENT
id: '8895209582493819432'
kind: compute#instance
labelFingerprint: 42WmSpB8rSM=
machineType: https://www.googleapis.com/compute/v1/projects/iota-177616/zones/europe-west1-b/machineTypes/f1-micro
metadata:
  fingerprint: -pkE3KaIzLU=
  kind: compute#metadata
name: instance-1
networkInterfaces:
- accessConfigs:
  - kind: compute#accessConfig
    name: External NAT
    natIP: 35.187.9.204
    type: ONE_TO_ONE_NAT
  kind: compute#networkInterface
  name: nic0
  network: https://www.googleapis.com/compute/v1/projects/iota-177616/global/networks/default
  networkIP: 10.132.0.2
  subnetwork: https://www.googleapis.com/compute/v1/projects/iota-177616/regions/europe-west1/subnetworks/default
scheduling:
  automaticRestart: true
  onHostMaintenance: MIGRATE
  preemptible: false
selfLink: https://www.googleapis.com/compute/v1/projects/iota-177616/zones/europe-west1-b/instances/instance-1
serviceAccounts:
- email: [email protected]
  scopes:
  - https://www.googleapis.com/auth/devstorage.read_only
  - https://www.googleapis.com/auth/logging.write
  - https://www.googleapis.com/auth/monitoring.write
  - https://www.googleapis.com/auth/servicecontrol
  - https://www.googleapis.com/auth/service.management.readonly
  - https://www.googleapis.com/auth/trace.append
startRestricted: false
status: RUNNING
tags:
  fingerprint: 6smc4R4d39I=
  items:
  - http-server
  - https-server
zone: https://www.googleapis.com/compute/v1/projects/iota-177616/zones/europe-west1-b
1
google-cloud-platformgoogle-compute-engine
How does your service listen on the port? Make sure it listens on 0.0.0.0:14265.Dagang
I don't really know how to figure that out. curl to 0.0.0.0:14265 and my local IP both return the same response as just localhost:14265Amit
Hey, I am having the same problem. Can you please let me know how you solved this problem?Payal Kothari
@PayalKothari Sorry, I didn't manage toAmit

1 Answers

4
votes

It is difficult to give an exact answer without some diagnostics.

It could be that the rules are being created for a network and your instance is in a different network.

So, first of all, check the networks available in your project:

gcloud compute networks list

Secondly, check in which network your instance is located:

gcloud compute instances describe [Instance Name] --zone [Zone]

Check the firewall rules being applied to the network used by your instance:

gcloud compute firewall-rules list

Also check that the target tags are the appropriate ones.

As you can see there are not tags applied to the VM, although the rules should apply if you target it to all vm's itis a good practice to do it.

  1. Edit your VM and add a tag(Ex. frontserver)

    gcloud compute instances add-tags [INSTANCE NAME] --zone [ZONE] --tags frontserver

  2. Now create the firewall rule and apply it to the tag created

    gcloud beta compute firewall-rules create [NAME_OF_THE_RULE] --direction=INGRESS --priority=1000 --network=default --allow=all --source-ranges=0.0.0.0/0 --target-tags=frontserver

Check this it it works you can run an update to restrict it to the desired ports and protocols and your source IP

gcloud beta compute firewall-rules update [NAME_OF_THE_RULE] --direction=INGRESS --priority=1000 --network=default --allow=tcp:--source-ranges=[your_source_IP] --target-tags=frontserver

Hope this helps, further info is found here with examples