Unable to connect to HTTP service running on Google Compute Engine VM instance

Question

I have a VM instance running COS version 'cos-dev-61-9733-0-0' on a f1-micro instance. I have configured an external IP address 146.xxx.xxx.106 and assigned to this instance. I'm trying to test the HTTP connectivity to this instance from my local workstation and have been unsuccessful so far.

I enabled both the "Allow HTTP traffic" and "Allow HTTPS traffic" settings under "Firewalls", even though they don't show the boxes checked after I save it. The Network tags however has the value "http-server, https-server" as shown below:

I also confirmed that the "Networking > Firewall Setups" has a default HTTP rule as follows:

I found a similar issue reported here however that did not help resolve my issue: Cannot access Google Cloud Compute Instance External IP. Any suggestions around additional setups that I'm missing would be highly appreciated. I looked for OS level firewall settings but I could not find sufficient documentation for Chromium OS.

Below are the steps I followed:

On the GCE instance:

$ sudo python -m SimpleHTTPServer 80

Serving HTTP on 0.0.0.0 port 80 ...

$ sudo netstat -antup

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address
State PID/Program name

tcp 0 0 0.0.0.0:22 0.0.0.0:*
LISTEN 638/sshd

tcp 0 0 0.0.0.0:5355 0.0.0.0:*
LISTEN 613/systemd-resolve

tcp 0 0 0.0.0.0:80 0.0.0.0:*
LISTEN 12750/python2.7

Ran the curl command and got the below response:

$ curl http://localhost:80 Directory listing for /

Directory listing for /

---

• .bash_history
• .bash_logout
• .bash_profile
• .bashrc
• .docker/
• .ssh/
• .viminfo
• apps/

---

From local workstation:

1. Ping the external IP address and received response:

$ ping 146.xxx.xxx.106 PING 146.xxx.xxx.106 (146.xxx.xxx.106) 56(84) bytes of data. 64 bytes from 146.xxx.xxx.106: icmp_seq=1 ttl=63 time=1131 ms ^C --- 146.xxx.xxx.106 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2007ms

2. SSH-ed to the instance successfully:

$ ssh 146.xxx.xxx.106 debianuser@cos-dev-61-dockervm1 ~ $

3. Ran 'nmap' command but it shows only the SSH port 22 open:

$ nmap -Pn 146.xxx.xxx.106

Starting Nmap 6.47 ( http://nmap.org ) at 2017-07-20 11:35 CDT Nmap scan report for 106.xxx.xxx.146.bc.googleusercontent.com (146.xxx.xxx.106) Host is up (0.17s latency). Not shown: 999 filtered ports PORT STATE SERVICE 22/tcp open ssh

Nmap done: 1 IP address (1 host up) scanned in 86.74 seconds

Answer 1

The Container-optimized OS images have firewall enabled at the operating system level to block all incoming traffic (except for ssh). Only outgoing traffic is allowed by default.

In addition to configuring the Google Compute Engine firewall rules to allow incoming traffic to your VMs, you will also need to ensure your OS running within the VM allows it too.

This is mentioned in the docs for Container-Optimized OS

Configuring the Host Firewall

By default, the Container-Optimized OS host firewall allows only outgoing connections, and accepts incoming connections only through the SSH service. To accept incoming connections on a Container-Optimized OS instance, you must open the ports your services are listening on.

For example, to accept connections from other instances within the same Compute Engine project, run the following commands on both your development workstation, and on your Container-Optimized OS instance:

# On your workstation:
SUBNETWORK_URI=$(gcloud compute instances describe ${COS_INSTANCE_NAME} | grep -w 'subnetwork:' | awk '{ print $2 }')
SUBNET_PREFIX=$(gcloud compute networks subnets describe ${SUBNETWORK_URI} | grep -w 'ipCidrRange:' | awk '{ print $2 }')

# On your Container-Optimized OS instance:
sudo iptables -w -A INPUT -p tcp -s ${SUBNET_PREFIX} -j ACCEPT
sudo iptables -w -A INPUT -p udp -s ${SUBNET_PREFIX} -j ACCEPT
 As another example, if you need to accept HTTP (port 80) connections from any source IP address, run the following commands on

your Container-Optimzied OS instance:

# On your Container-Optimized OS instance:
sudo iptables -w -A INPUT -p tcp --dport 80 -j ACCEPT

In general, it is recommended you configure the host firewall as a systemd service through cloud-init.