This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Cannot connect to vm instance via external ip after import virtual macine

Posted on 10-12-2023 08:14 AM
emelkurnaz
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I created a compute engine instance with import virtual machine's .ova file via gcloud command. But I cannot connect my instance both ssh and external ip. When connecting via ssh, the error given below

Code: 4003 Reason: failed to connect to backend Please ensure that: - your user account has iap.tunnelInstances.accessViaIAP permission - VM has a firewall rule that allows TCP ingress traffic from the IP range 35.235.240.0/20, port: 22 - you can make a proper https connection to the IAP for TCP hostname: https://tunnel.cloudproxy.app You may be able to connect without using the Cloud Identity-Aware Proxy.

When entering ip as  http://34.70.172.154/ ERR_CONNECTION_TIMED_OUT given

Pinging to 34.70.172.154 results as Request timed out. 

Ports are open on firewall with http-server tagged, but I could not understand what is the issue.

 

0 1 735
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
lawrencenelson
Staff
Reply posted on --/--/---- --:-- AM

Hi @emelkurnaz,

Welcome to the Google Cloud Community!

Based on the error log that you received (Code: 4003, Reason: failed to connect to backend), please ensure the following:

  • Verify that your user or service account has the IAP-Secured Tunnel User role [1] to be able to SSH into the instance. Adding the IAP-Secured Tunnel User role includes the iap.tunnelInstances.accessViaIAP and iap.tunnelDestGroups.accessViaIAP permissions.

Next, follow the steps provided in this GCC thread to configure your firewall.

If TCP:22 is already allowed in your firewall with type Ingress, then there is no issue with GCP Firewall but your next step is also to configure your firewall to allow access through Identity-Aware Proxy (IAP).

If you need to set up your instance with Identity-Aware Proxy (IAP), you may refer to this document Setting up IAP for Compute Engine. But if you already set up your instance, you just need to enable IAP Enabling IAP for Compute Engine.

Please let me know if that worked so we can further troubleshoot the issue. Thank you!

[1]. https://cloud.google.com/iap/docs/managing-access#roles
[2]. https://www.googlecloudcommunity.com/gc/Infrastructure-Compute-Storage/SSH-connectivity-problems/m-p...

0 Likes