'IAP tunnel to VM
I’ve a question regarding Compute VM and its associated privileges. I have ‘Owner’ privileges at Project level. I created a VM but was not able to assign an external IP address to it. Upon referring to google cloud docs, it appears that I’ll still be able to connect to this VM using VPN or IAP. Upon clicking the SSH link next to the VM, I see that it uses a Cloud-IAP tunnel but the connection fails.
Here is the error message External IP address was not found; defaulting to using IAP tunneling.
ERROR: (gcloud.compute.start-iap-tunnel) Error while connecting [4003: u'failed to connect to backend'].
ssh_exchange_identification: Connection closed by remote host
ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].
How do I go about connecting to this VM?
Appreciate your help with this
Solution 1:[1]
- https://hodari.be/posts/2019_09_30_access_private_gke_nodes_with_ssh/
- https://cloud.google.com/iap/docs/using-tcp-forwarding
Firewall rules that are configured to allow access from Cloud IAP's TCP forwarding netblock, 35.235.240.0/20, on all ports of your machine. This ensures that connections are allowed from Cloud IAP's TCP forwarding IP addresses to the TCP port of the admin service on your resource. Note that you might not need to adjust your firewall rules if the default-allow-ssh and default-allow-rdp default rules are applied to ports used for SSH and RDP.
As probably you already have default-allow-ssh
instead of trying:
gcloud compute start-iap-tunnel stage-es-kibana 5601 --local-host-port=localhost:5601
jump to port via extra ssh layer:
gcloud compute ssh stage-es-kibana -- -N -L 5601:localhost:5601
or open Google Firewall between host/port stage-es-kibana:5601
and subnet 35.235.240.0/20
.
Solution 2:[2]
This is a permissions issue. You are trying to ssh into your vm thru google's IAP proxy. You don't have permissions to create the tunnel from your computer to the proxy server.
You need have the role "roles/iap.tunnelResourceAccessor"
to ssh to your vm:
Solution 3:[3]
It seems that the GCP CE requires to initialize SSH and other services after its RUNNING status. I used a workaround by adding a sleep (60 sec) command, after starting the VM and before SSH using the IAP tunnel.
Solution 4:[4]
In my case I solved or worked around it by omitting the --tunnel-through-iap
parameter that is passed to gcloud compute ssh
.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
Solution | Source |
---|---|
Solution 1 | gavenkoa |
Solution 2 | Priyesh Patel |
Solution 3 | Jijo John |
Solution 4 | Chris Stryczynski |