LinkedIn
Twitter
Problem:
I am trying to raise an Http server on GCP on port 8080 or 80. But I can only connect locally, and not from outside the GCP network.
From GCP: "curl localhost:8080" works, but "curl external_ip:8080" does not work.
From local computer: "curl external_ip:8080" does not work.
Error: connection timeout / no route to host.
When trying port 80. I get "connection refused" with external_ip , regardless if http server is on or not.
Other info:
2. OS: Ubuntu
3. On machine creation I marked: allow_http and allow_https network tags.
4. Result of command: sudo iptables -L
5. I added fire wall rule that allows all ips v4/v6, for all ports and protocols, and associated it with default netowork.
6. I turned on logging for firewall rule on port 80, and get "hit counts" when I try reaching port 80. I did a network test from the GCP web console, and it showed port 80 as reachable.
7. I performed "connectivity test" for both port 80 and 8080 from my laptop external ip to GCP external Ip. for port 80 it is reachable. for port 8080 is is unreachable. and it fails on the firewall rule:
But I my "allow all" rule has higher priority then that. and I tried also a lower number, the same result. Fail on this rule.
Any help would be appriciated. Thanks!
@cristianrm Sure. After creating a new machine, in the Firewall section, I click "Create new Firewall policy"
I then create 2 new rules to allow all ingress traffic for ipv4 and ipv6:
In the associations tab i connect it to the default network:
If i perform a "connectivity test" (which fails), i have on the right side "view interface details":
If I click on it, I see the enforcement order of the firewall policies:
It seems , the default policy get enforced first, then my "allow all incomming" policy.
Also, in the connectivity test, you can see the "default deny rule" is enforced. So I thought maybe the default policy denies my connection, and my new policy doesnt get called.
I found that on the Firewall section, clicking on 3 dots, there is "Create new firewall rule" (not policy). I created a "allow all incomming" rule in the default policy as well (I had to give it "tags" inside, so I gave my VM machine name as the tags):
But still, my connectivity test, fails.
After reviewing your configuration and the screenshots you’ve provided, I can confirm that your policies are taking higher precedence than your allow-all rule.
As shown in the Hierarchical firewall policies:
Lower-level rules cannot override a rule from a higher place in the resource hierarchy. This lets organization-wide admins manage critical firewall rules in one place.
You create and apply firewall policies as separate steps. You can create and apply firewall policies at the organization or folder nodes of the resource hierarchy. A firewall policy rule can block connections, allow connections, or defer firewall rule evaluation to lower-level folders or VPC firewall rules defined in VPC networks. A firewall policy rule can block connections, allow connections, or defer firewall rule evaluation to lower-level folders or VPC firewall rules defined in VPC networks ... By default, all hierarchical firewall policy rules apply to all VMs in all projects under the organization or folder where the policy is associated. However, you can restrict which VMs get a given rule by specifying target networks or target service accounts. The levels of the hierarchy at which firewall rules can now be applied are represented in the following diagram. The yellow boxes represent hierarchical firewall policies that contain firewall rules, while the white boxes represent VPC firewall rules.
You could check the following documentation to review the hierarchy of your policies and rules:
