How to open a specific port such as 9090 in Google Compute Engine

Question

I have 2 Google Compute Engine instances and I want to open port 9090 in both the instances. I think we need to add some firewall rules.

Can you tell me how can I do that?

I think this question has been answered. Would you mind selecting one of the answers below? It would help future readers more easily recognize that this problem has been solved. — modulitos, Sep 18 '16 at 23:03

score 374 · Answer 1 · edited Sep 14 '18 at 00:27

374

You need to:

Go to cloud.google.com
Go to my Console
Choose your Project
Choose Networking > VPC network
Choose "Firewalls rules"
Choose "Create Firewall Rule"
To apply the rule to select VM instances, select Targets > "Specified target tags", and enter into "Target tags" the name of the tag. This tag will be used to apply the new firewall rule onto whichever instance you'd like. Then, make sure the instances have the network tag applied.
To allow incoming TCP connections to port 9090, in "Protocols and Ports" enter tcp:9090
Click Create

I hope this helps you.

Update Please refer to docs to customize your rules.

edited Sep 14 '18 at 00:27

William-Jack Dalessandro

9
3

answered Jan 11 '14 at 21:56

Carlos Rojas

4,427
2
12
13

4

The compute engine has no "networks" option (anymore?) – Afr Apr 30 '17 at 14:18
8

Yes, there is no Networks option now, the updated path is Project -> Networking -> Firewall Rules – Caio Vertematti May 11 '17 at 19:21
1

On my instance, I only have `allow http` and `allow https` I've added a new firewall rule but I can't seem to find it. I'm also on the free tier, if it helps. – A. L Aug 03 '17 at 06:48
1

You need allow http to open the 80 port and allow https to open 443. It is a shortcut. – Carlos Rojas Aug 03 '17 at 19:03
1

@CaioVertematti, I swear I saw the network option unden the project. Because I used it! Not there isn't a network option! – Ramazan Polat Sep 05 '17 at 21:51
1

Worked for me, I just made it "Apply to all" since I only have the one instance. Thanks.. I used this for the tensorflow demo with 8080 – James Sep 14 '17 at 10:21
1

Maybe Google had changed the menu, now the network setting is under "PRODUCT" of the console. – Deqing Nov 28 '17 at 03:35
1

For me it also took a VM reboot in order for the new rules too apply. May be due the fact I did not add new rule, but edited the existing. – foo Jan 16 '18 at 19:55
1

Thanks very much man. that was so confusing but really really explained it all. thanks again – Al-Alamin Jan 18 '18 at 06:00
1

How to make sure that tag is applied to instance?? – Kenenbek Arzymatov May 08 '18 at 21:24
4

The menu path of the docs keeps changing. It think its important to point to the doc in the answer: https://cloud.google.com/vpc/docs/using-firewalls – Anupam May 14 '18 at 11:00
1

Do you need to restart the machine? – rocketspacer Jul 02 '18 at 16:03
1

I don´t think so. this is a extra layer. if you have your ports working fine in your Server. All would be fine. – Carlos Rojas Jul 03 '18 at 16:53
what is the Source filters – pery mimon Jan 27 '19 at 16:23
thanks. It gave me some direction but I am still not able to work gcp and cassandra work on external IP. Can you please take a look at -https://stackoverflow.com/questions/59393296/error-when-running-cassandra-on-google-cloud-on-external-ip-failed-to-bind-por – Manu Chadha Dec 18 '19 at 13:41
I forgot to add network tag to the vm instance, thanks. – Muhammed Ozdogan Aug 25 '20 at 08:06
should I reboot the instance after the changes? – alper Apr 27 '21 at 11:36

modulitos · Answer 2 · 2015-01-08T10:38:10.797

94

Here is the command-line approach to answer this question:

gcloud compute firewall-rules create <rule-name> --allow tcp:9090 --source-tags=<list-of-your-instances-names> --source-ranges=0.0.0.0/0 --description="<your-description-here>"

This will open the port 9090 for the instances that you name. Omitting --source-tags and --source-ranges will apply the rule to all instances. More details are in the Gcloud documentation and the firewall-rule create command manual

The previous answers are great, but Google recommends using the newer gcloud commands instead of the gcutil commands.

PS: To get an idea of Google's firewall rules, run gcloud compute firewall-rules list and view all your firewall rules

edited Jan 08 '15 at 10:38

answered Dec 28 '14 at 10:31

modulitos

11,227
10
53
96

I get complaints when I use the `--description` part, but otherwise this works for me. – shabbychef Feb 10 '16 at 00:14
2

I am not sure if they changed the api but the source and target seems to be the opposite than @modulitos's answer. According to the [firewall-rules command documentation](https://cloud.google.com/sdk/gcloud/reference/compute/firewall-rules/create), `source` means incoming traffic whereas `target` refers to the instances to apply the rule to. – cindyxiaoxiaoli Feb 08 '18 at 16:01
1

`ERROR: (gcloud.compute.firewall-rules.create) Could not fetch resource: - Insufficient Permission` @modulitos – alper Mar 06 '18 at 08:53
What is the aftermath test @modulitos? Is it `telnet :instance_ip :port` or `nmap -p :port :instance_ip`? – Nam G VU Mar 20 '19 at 04:44
@alper You have to do this command before: "gcloud auth login" and login – Anton Tkachov Dec 18 '19 at 16:26

score 13 · Answer 3 · answered May 01 '19 at 09:08

Creating firewall rules

Please review the firewall rule components [1] if you are unfamiliar with firewall rules in GCP. Firewall rules are defined at the network level, and only apply to the network where they are created; however, the name you choose for each of them must be unique to the project.

For Cloud Console:

Go to the Firewall rules page in the Google Cloud Platform Console.
Click Create firewall rule.
Enter a Name for the firewall rule. This name must be unique for the project.
Specify the Network where the firewall rule will be implemented.
Specify the Priority of the rule. The lower the number, the higher the priority.
For the Direction of traffic, choose ingress or egress.
For the Action on match, choose allow or deny.
Specify the Targets of the rule.
- If you want the rule to apply to all instances in the network, choose All instances in the network.
- If you want the rule to apply to select instances by network (target) tags, choose Specified target tags, then type the tags to which the rule should apply into the Target tags field.
- If you want the rule to apply to select instances by associated service account, choose Specified service account, indicate whether the service account is in the current project or another one under Service account scope, and choose or type the service account name in the Target service account field.
For an ingress rule, specify the Source filter:
- Choose IP ranges and type the CIDR blocks into the Source IP ranges field to define the source for incoming traffic by IP address ranges. Use 0.0.0.0/0 for a source from any network.
- Choose Subnets then mark the ones you need from the Subnets pop-up button to define the source for incoming traffic by subnet name.
- To limit source by network tag, choose Source tags, then type the network tags in to the Source tags field. For the limit on the number of source tags, see VPC Quotas and Limits. Filtering by source tag is only available if the target is not specified by service account. For more information, see filtering by service account vs.network tag.
- To limit source by service account, choose Service account, indicate whether the service account is in the current project or another one under Service account scope, and choose or type the service account name in the Source service account field. Filtering by source service account is only available if the target is not specified by network tag. For more information, see filtering by service account vs. network tag.
- Specify a Second source filter if desired. Secondary source filters cannot use the same filter criteria as the primary one.
For an egress rule, specify the Destination filter:
- Choose IP ranges and type the CIDR blocks into the Destination IP ranges field to define the destination for outgoing traffic by IP address ranges. Use 0.0.0.0/0 to mean everywhere.
- Choose Subnets then mark the ones you need from the Subnets pop-up button to define the destination for outgoing traffic by subnet name.
Define the Protocols and ports to which the rule will apply:
- Select Allow all or Deny all, depending on the action, to have the rule apply to all protocols and ports.
- Define specific protocols and ports:
  - Select tcp to include the TCP protocol and ports. Enter all or a comma delimited list of ports, such as 20-22, 80, 8080.
  - Select udp to include the UDP protocol and ports. Enter all or a comma delimited list of ports, such as 67-69, 123.
  - Select Other protocols to include protocols such as icmp or sctp.
(Optional) You can create the firewall rule but not enforce it by setting its enforcement state to disabled. Click Disable rule, then select Disabled.
(Optional) You can enable firewall rules logging:
- Click Logs > On.
- Click Turn on.
Click Create.

Link: [1] https://cloud.google.com/vpc/docs/firewalls#firewall_rule_components

score 10 · Answer 4 · answered Jan 12 '14 at 18:54

You'll need to add a firewall rule to open inbound access to tcp:9090 to your instances. If you have more than the two instances, and you only want to open 9090 to those two, you'll want to make sure that there is a tag that those two instances share. You can add or update tags via the console or the command-line; I'd recommend using the GUI for that if needed because it handles the read-modify-write cycle with setinstancetags.

If you want to open port 9090 to all instances, you can create a firewall rule like:

gcutil addfirewall allow-9090 --allowed=tcp:9090

which will apply to all of your instances.

If you only want to open port 9090 to the two instances that are serving your application, make sure that they have a tag like my-app, and then add a firewall like so:

gcutil addfirewall my-app-9090 --allowed=tcp:9090 --target_tags=my-app

You can read more about creating and managing firewalls in GCE here.

`gcutil` is no longer available; please rewrite your command lines using `gcloud`. — Misha Brukman, Aug 03 '15 at 04:28

noob · Answer 5 · 2018-05-24T16:40:11.280

This question is old and Carlos Rojas's answer is good, but I think I should post few things which should be kept in mind while trying to open the ports.

The first thing to remember is that Networking section is renamed to VPC Networking. So if you're trying to find out where Firewall Rules option is available, go look at VPC Networking.

The second thing is, if you're trying to open ports on a Linux VM, make sure under no circumstances should you try to open port using ufw command. I tried using that and lost ssh access to the VM. So don't repeat my mistake.

The third thing is, if you're trying to open ports on a Windows VM, you'll need to create Firewall rules inside the VM also in Windows Firewall along with VPC Networking -> Firewall Rules. The port needs to be opened in both firewall rules, unlike Linux VM. So if you're not getting access to the port from outside the VM, check if you've opened the port in both GCP console and Windows Firewall.

The last (obvious) thing is, do not open ports unnecessarily. Close the ports, as soon as you no longer need it.

I hope this answer is useful.

Good tips except that I did open some specific ports with the `ufw` command and I still have ssh access. — stackErr, Oct 24 '18 at 23:43

score 7 · Answer 6 · answered Aug 25 '14 at 14:49

7

I had the same problem as you do and I could solve it by following @CarlosRojas instructions with a little difference. Instead of create a new firewall rule I edited the default-allow-internal one to accept traffic from anywhere since creating new rules didn't make any difference.

answered Aug 25 '14 at 14:49

There is a charge to create a new firewall rule. Did you manage to avoid that by editing this rule ? – killjoy Oct 18 '16 at 22:38
@killjoy I am not sure about it. I am not currently using google compute engine. Sorry. – Oct 19 '16 at 04:51
2

While this may work, there are security concerns with this method. What I found to work for me was utilizing the firewall tags on my instances. When you create a firewall rule, you can create a "Target Tag" for that rule. You then can apply that tag to your VM Instance which will apply the rule to your specific instance. See the accepted answer here for more: http://stackoverflow.com/questions/31509722/how-do-i-enable-http-traffic-for-gce-instance-templates – k00k May 01 '17 at 18:21

score 0 · Answer 7 · answered Jul 18 '19 at 23:51

0

I had to fix this by decreasing the priority (making it higher). This caused an immediate response. Not what I was expecting, but it worked.

answered Jul 18 '19 at 23:51

justbob

11
1

score 0 · Answer 8 · answered Jul 09 '20 at 11:55

console.cloud.google.com >> select project >> Networking > VPC network >> firewalls >> create firewall.

To apply the rule to VM instances, select Targets, "Specified target tags", and enter into "Target tags" the name of the tag. This tag will be used to apply the new firewall rule onto whichever instance you'd like.

in "Protocols and Ports" enter tcp:9090

Click Save.

How to open a specific port such as 9090 in Google Compute Engine

8 Answers8

Linked