Where are my inbound UDP packets ending up?

laurie · 11-28-2024 11:11 PM

I have a shiny compute-engine instance running COS, with a docker container using host networking, listening on a particular UDP port. It has an external ipv4 address on the default nic - it's an ephemeral address and it doesn't show up in ipconfig, but I couldn't determine from the documentation if there was any reason UDP packets shouldn't go through.

I've added firewall rules to allow UDP traffic on that particular port on the instance's service account, and the cloud logging indicates that these rules are being matched.

If I use nc from the COS toolbox on the instance, I see a message in my application's log. But from elsewhere, it looks like my packets don't get through. What else might I need to configure to get packets on the external ip address coming through to my instance?

diannemcm

Hi @laurie,

Welcome to Google Cloud Community!

I understand that your instance's firewall rule was set to allow UDP packets, even so, confirm that the firewall rule permits UDP traffic on the designated port for both ingress and egress. For VPC firewall rules(network-level firewall), ensure that you have a rule allowing inbound UDP traffic on the specified port to the instances within the relevant subnet (or using tags if you're using them for finer control).

Check whether the container’s application is bound to the correct IP address (0.0.0.0 for all interfaces or the specific external IP address). Sometimes applications will bind to localhost which would restrict traffic to the local machine and not be accessible externally.

You can also increase UDP connection timeout, the application might expect a response to a request sent via UDP and might need to wait for a certain amount of time before it considers the request failed.

You may also reach out to Google Cloud Support for more detailed insights and assistance.

Other necessary documentation: Containers on Compute Engine

I hope the information above is helpful.