'IAP tunnel to VM

I’ve a question regarding Compute VM and its associated privileges. I have ‘Owner’ privileges at Project level. I created a VM but was not able to assign an external IP address to it. Upon referring to google cloud docs, it appears that I’ll still be able to connect to this VM using VPN or IAP. Upon clicking the SSH link next to the VM, I see that it uses a Cloud-IAP tunnel but the connection fails.

Here is the error message External IP address was not found; defaulting to using IAP tunneling.

ERROR: (gcloud.compute.start-iap-tunnel) Error while connecting [4003: u'failed to connect to backend'].
ssh_exchange_identification: Connection closed by remote host
ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].

How do I go about connecting to this VM?

Appreciate your help with this

google-compute-enginegoogle-iap


Solution 1:[1]

Firewall rules that are configured to allow access from Cloud IAP's TCP forwarding netblock, 35.235.240.0/20, on all ports of your machine. This ensures that connections are allowed from Cloud IAP's TCP forwarding IP addresses to the TCP port of the admin service on your resource. Note that you might not need to adjust your firewall rules if the default-allow-ssh and default-allow-rdp default rules are applied to ports used for SSH and RDP.

As probably you already have default-allow-ssh instead of trying:

gcloud compute start-iap-tunnel stage-es-kibana 5601 --local-host-port=localhost:5601

jump to port via extra ssh layer:

gcloud compute ssh stage-es-kibana -- -N -L 5601:localhost:5601

or open Google Firewall between host/port stage-es-kibana:5601 and subnet 35.235.240.0/20.

Solution 2:[2]

This is a permissions issue. You are trying to ssh into your vm thru google's IAP proxy. You don't have permissions to create the tunnel from your computer to the proxy server.

You need have the role "roles/iap.tunnelResourceAccessor" to ssh to your vm:

Solution 3:[3]

It seems that the GCP CE requires to initialize SSH and other services after its RUNNING status. I used a workaround by adding a sleep (60 sec) command, after starting the VM and before SSH using the IAP tunnel.

Solution 4:[4]

In my case I solved or worked around it by omitting the --tunnel-through-iap parameter that is passed to gcloud compute ssh.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 gavenkoa
Solution 2 Priyesh Patel
Solution 3 Jijo John
Solution 4 Chris Stryczynski

Related Questions

Allow-IAP Firewall Rule created in default VPC in GCP getting reflected in other VPC as well

Permission Denied when trying to write on a TPU VM foler

Google Cloud Free Tier will start charging for static or ephemeral IP Address?

How can size of the root disk in Google Compute Engine be increased?

How to install Dart in Google Compute Engine (GCE)?

Why does Google Cloud Storage freeze when I try to upload a large folder (2.5GB of images)?

Jenkins does not start properly after reboot on GCE

startup script yum install fails with "signature could not be verified for google-cloud-sdk"

Removing disks with gcloud

in-browser SSH - IP address range

Github Self-Hosted runner registration auth fails in GCE

Compute Engine API - How to create an instance with container?

How to set $HOME before startup script in Google Compute Engine

PG bouncer running on vm instance stops connecting to cloud sql

Traefik on Kubernetes (GCE/GKE) behind GCE Load Balancer