TechQA.

How to allow communication between private instances in GCE

435 views Asked by At

Here is the use case:

  • External IPs are not allowed
  • Custom VPC exist for the GCP Project
  • Instance A has an application running
  • Instance B is considered as a client
  • SQL Instance C is on VPC too and has only internal IP

The goal is to let B send HTTP requests to A so that A send queries to the SQL Instance C.

What are the networking steps to be done in that case? ( only firewall issue since all instances are on the same network? and if so, what are the rules of firewall to be allowed? )

and WHY we can't ping other servers in GCP if they are on the same VPC?

Thank you

VPS firewall settings:

[
{
  "allowed": [
    {
      "IPProtocol": "tcp",
      "ports": [
        "22"
      ]
    },
    {
      "IPProtocol": "tcp",
      "ports": [
        "3389"
      ]
    }
  ],
  "description": "Allow incoming traffic on IAP",
  "direction": "INGRESS",
  "disabled": false,
  "kind": "compute#firewall",
  "logConfig": {
    "enable": false
  },
  "name": "fw-allow-iap",
  "network": "https://www.googleapis.com/compute/v1/projects//global/networks/NETWORK_HERE",
  "priority": 1000,
  "selfLink": "https://www.googleapis.com/compute/v1/projects//global/firewalls/fw-allow-iap",
  "sourceRanges": [
    "35.235.240.0/20"
  ]
},
{
  "allowed": [
    {
      "IPProtocol": "tcp",
      "ports": [
        "80"
      ]
    }
  ],
  "description": "",
  "direction": "INGRESS",
  "disabled": false,
  "kind": "compute#firewall",
  "logConfig": {
    "enable": false
  },
  "name": "NETWORK_HERE-allow-http",
  "network": "https://www.googleapis.com/compute/v1/projects//global/networks/NETWORK_HERE",
  "priority": 1000,
  "selfLink": "https://www.googleapis.com/compute/v1/projects//global/firewalls/NETWORK_HERE-allow-http",
  "sourceRanges": [
    "0.0.0.0/0"
  ],
  "targetTags": [
    "http-server"
  ]
},
{
  "allowed": [
    {
      "IPProtocol": "tcp",
      "ports": [
        "443"
      ]
    }
  ],
  "direction": "INGRESS",
  "disabled": false,
  "kind": "compute#firewall",
  "logConfig": {
    "enable": false
  },
  "name": "NETWORK_HERE-allow-https",
  "network": "https://www.googleapis.com/compute/v1/projects//global/networks/NETWORK_HERE",
  "priority": 1000,
  "selfLink": "https://www.googleapis.com/compute/v1/projects//global/firewalls/NETWORK_HERE-allow-https",
  "sourceRanges": [
    "0.0.0.0/0"
  ],
  "targetTags": [
    "https-server"
  ]
}
]

Instance B settings: (Instance A has the same settings as well)

{
"canIpForward": false,
"confidentialInstanceConfig": {
  "enableConfidentialCompute": false
},
"cpuPlatform": "Intel Haswell",
"deletionProtection": false,
"description": "",
"disks": [
  {
    "autoDelete": true,
    "boot": true,
    "deviceName": "instance-1",
    "diskSizeGb": "10",
    "guestOsFeatures": [
      {
        "type": "UEFI_COMPATIBLE"
      },
      {
        "type": "VIRTIO_SCSI_MULTIQUEUE"
      }
    ],
    "index": 0,
    "interface": "SCSI",
    "kind": "compute#attachedDisk",
    "licenses": [
      "projects/debian-cloud/global/licenses/debian-10-buster"
    ],
    "mode": "READ_WRITE",
    "source": "projects/PROJECT_ID/zones/europe-west1-b/disks/instance-1",
    "type": "PERSISTENT"
  }
],
"displayDevice": {
  "enableDisplay": false
},
"kind": "compute#instance",
"machineType": "projects/PROJECT_ID/zones/europe-west1-b/machineTypes/e2-micro",
"metadata": {
  "fingerprint": "S0UuYvDZ4Tg=",
  "kind": "compute#metadata"
},
"name": "instance-1",
"networkInterfaces": [
  {
    "kind": "compute#networkInterface",
    "name": "nic0",
    "network": "projects/PROJECT_ID/global/networks/NETWORK_HERE",
    "networkIP": "10.0.1.4",
    "subnetwork": "projects/PROJECT_ID/regions/europe-west1/subnetworks/SUBNET_HERE"
  }
],
"reservationAffinity": {
  "consumeReservationType": "ANY_RESERVATION"
},
"scheduling": {
  "automaticRestart": true,
  "onHostMaintenance": "MIGRATE",
  "preemptible": false
},
"selfLink": "projects/PROJECT_ID/zones/europe-west1-b/instances/instance-1",
"serviceAccounts": [
  {
    "email": "[email protected]",
    "scopes": [
      "https://www.googleapis.com/auth/devstorage.read_only",
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring.write",
      "https://www.googleapis.com/auth/servicecontrol",
      "https://www.googleapis.com/auth/service.management.readonly",
      "https://www.googleapis.com/auth/trace.append"
    ]
  }
],
"shieldedInstanceConfig": {
  "enableIntegrityMonitoring": true,
  "enableSecureBoot": false,
  "enableVtpm": true
},
"shieldedInstanceIntegrityPolicy": {
  "updateAutoLearnPolicy": true
},
"startRestricted": false,
"status": "RUNNING",
"tags": {
  "items": [
    "http-server",
    "https-server"
  ]
},
"zone": "projects/PROJECT_ID/zones/europe-west1-b"

}

networking google-cloud-platform firewall google-vpc private-network
Original Q&A
1

There are 1 answers

0
Yoyo On

From John Hanley's comment here

By default, a VPC is created with this rule (default-allow-icmp). Someone has deleted it. Create a rule allowing ICMP within your VPC. Next, figure out if you have an internal OS firewall and if that allows ICMP. Refer gcp documentation here

Related Questions in NETWORKING

Related Questions in GOOGLE-CLOUD-PLATFORM

Related Questions in FIREWALL

Related Questions in GOOGLE-VPC

Related Questions in PRIVATE-NETWORK

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions