Google cloud Compute Engine refuse outer access through apache2

Question

Today, I tried to make a blog with Google Cloud Platform.

So, I made a Computer Engine Instance and install Apache2 on Ubuntu 16.

And then, clicked the Outer IP address, but it show me "connection denied.."

Why this happen?

I allowed HTTPS % HTTP Traffic also.

And I can't find a menu like AWS's Security Group...

So, this problem irritate me...

(I'm not a English native, so documentation is so hard read.. please, give me a tip for this matter)

Answer 1

TL;DR - You need to open up ports using firewall rules to allow ingress traffic into your VMs.

Google Compute Engine (GCE) blocks all traffic to your VMs by default for the purpose of keeping your infrastructure secure. You can open up ports as needed and manage the security yourself. The default created network has few exceptions in terms of allowing traffic from other VMs in the network, but still does not allow traffic from outside the network.

Firewalls

Each VPC network has its own firewall controlling access to the instances.

All traffic to instances, even from other instances, is blocked by the firewall unless firewall rules are created to allow it. The exception is the default VPC network that is created automatically with each project. This network has certain automatically created default firewall rules.

For all VPC networks except the automatically created default VPC network, you must create any firewall rules you need. To allow incoming network connections on a manually created VPC network, you need to set up firewall rules to permit these connections. Each firewall rule represents a single rule that determines what connections are permitted to enter or leave instances. It is possible to have many rules and to be as general or specific with these rules as you need. For example, you can create a firewall rule that allows all traffic through port 80 to all instances, or you can create a rule that only allows traffic from one specific IP or IP range to one specific instance.

Firewall rules are connection tracking, and therefore only regulate the initial connection. Once a connection has been established with an instance, traffic is permitted in both directions over that connection.

Since you say apache2 package on Ubuntu, the instructions I share here will guide you on how to open up port 80 on your VM and make it accessible through the VM's public IP. You can do the same for any additional ports as needed.

Using gcloud to allow ingress traffic for tcp:80 into your VM

# Create a new firewall rule that allows INGRESS tcp:80 with VMs containing tag 'allow-tcp-80'
gcloud compute firewall-rules create rule-allow-tcp-80 --source-ranges 0.0.0.0/0 --target-tags allow-tcp-80 --allow tcp:80

# Add the 'allow-tcp-80' tag to a VM named VM_NAME
gcloud compute instances add-tags VM_NAME --tags allow-tcp-80

# If you want to list all the GCE firewall rules
gcloud compute firewall-rules list

Using Cloud Console to allow ingress traffic for tcp:80 into your VM

1. Menu -> Networking -> Firewall Rules
2. Create Firewall Rule

3. Choose the following settings for the firewall rule:

   1. Name for the rule - rule-allow-tcp-80 or any other name you prefer for this firewall rule.
   2. Direction is ingress
   3. Action on match is Allow
   4. Targets is Specified target tags
   5. Target tags is allow-tcp-80
   6. Source IP ranges is 0.0.0.0/0 (or if you have a set of IP ranges you know will be the only ones accessing this, use them instead for stronger restriction)
   7. Protocols and ports is tcp:80
   8. Select Create button to create this firewall rule.

4. Once you've created the above firewall rule you will need to add the tag allow-tcp-80 to all the instances where this rule needs to be applied. In your case:

   1. Open up the GCE VM Instances page
   2. Select the instance where Jenkins is running
   3. In the VM instance details page, select the Edit link on the very top.
   4. In the Network Tags box, enter allow-tcp-80 to apply the tag to this instance.
   5. Select Save to save the changes.

Now give it a few seconds to a few minutes for the changes to take effect and you will be able to access the jenkins web URL.

You can also go through the documentation for Firewall rules to get a better understanding of how they work and how to configure them.

WARNING: By using a source range of 0.0.0.0/0, you're opening up the port on the VM to the entire internet. This lets clients anywhere in the world to connect to the application running on this port. Be fully aware of the security implications of doing this.