IAP tunnel to VM

Question

I’ve a question regarding Compute VM and its associated privileges. I have ‘Owner’ privileges at Project level. I created a VM but was not able to assign an external IP address to it. Upon referring to google cloud docs, it appears that I’ll still be able to connect to this VM using VPN or IAP. Upon clicking the SSH link next to the VM, I see that it uses a Cloud-IAP tunnel but the connection fails.

Here is the error message External IP address was not found; defaulting to using IAP tunneling.

ERROR: (gcloud.compute.start-iap-tunnel) Error while connecting [4003: u'failed to connect to backend'].
ssh_exchange_identification: Connection closed by remote host
ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].

How do I go about connecting to this VM?

Appreciate your help with this

Edit your question and include the firewall rule for SSH. If you don't have one, create one. However, please be more detailed on error messages. If you have Project Owner that you can assign an external IP address, otherwise you might be using a different account that does not. — John Hanley, Sep 21 '19 at 03:14
Related (with a focus on Ansible, but a lot of transferable information): https://stackoverflow.com/q/58996471/320399 — blong, May 18 '21 at 15:38

score 5 · Answer 1 · answered Nov 17 '19 at 11:11

5

Firewall rules that are configured to allow access from Cloud IAP's TCP forwarding netblock, 35.235.240.0/20, on all ports of your machine. This ensures that connections are allowed from Cloud IAP's TCP forwarding IP addresses to the TCP port of the admin service on your resource. Note that you might not need to adjust your firewall rules if the default-allow-ssh and default-allow-rdp default rules are applied to ports used for SSH and RDP.

As probably you already have default-allow-ssh instead of trying:

gcloud compute start-iap-tunnel stage-es-kibana 5601 --local-host-port=localhost:5601

jump to port via extra ssh layer:

gcloud compute ssh stage-es-kibana -- -N -L 5601:localhost:5601

or open Google Firewall between host/port stage-es-kibana:5601 and subnet 35.235.240.0/20.

answered Nov 17 '19 at 11:11

gavenkoa

37,355
13
206
248

The key part here is adding the firewall rule specified in https://cloud.google.com/iap/docs/using-tcp-forwarding#tunneling_ssh_connections – mafrosis Jul 10 '20 at 05:50
1

@mafrosis In case if you want tunelling to actually work as stated by `gcloud` CLI (like RDP, etc). But it is still possible to pass port via standard SSH (as you'll probably already have rule `default-allow-ssh `) without adding other firewall rules, keeping only port `22` open to subnet `35.235.240.0/20`. – gavenkoa Jul 10 '20 at 07:34
In other words as long you are able SSH connection you can tunnel any port via SSH tunnel (option `-L`) avoiding proprietary firewall rules! In any case IAP is not for bulk transfer and **parallel connection are forbidden** from the same OS as they use shared sql lite DB without proper locks, so it is only rescue shell connections, not for proper VPN. – gavenkoa Jul 10 '20 at 07:39
1

Yes agreed. I think for people arriving to this question via Google it's useful to highlight the specific firewall documentation for IAP – mafrosis Jul 10 '20 at 09:30

score 1 · Answer 2 · answered Feb 20 '20 at 07:36

1

It seems that the GCP CE requires to initialize SSH and other services after its RUNNING status. I used a workaround by adding a sleep (60 sec) command, after starting the VM and before SSH using the IAP tunnel.

answered Feb 20 '20 at 07:36

Jijo John

641
1
5
21

MustA · Answer 3 · 2019-09-24T02:32:35.417

As the Project owner inherent both “Compute Admin” and “Compute Network Admin” roles, you should be able to add the external ip address to your VM. however you can try below command through cloud shell. And share the error message showing. This will add one ephemeral external IP address to your vm.

$ gcloud compute instances add-access-config [INSTANCE NAME] --zone=[ZONE] --access-config-name "[ACCESS_CONFIG_NAME]"

Also to ssh with out the external IP, you have to enable the Cloud IAP please check the document which includes the firewall, “IAP-Secured Tunnel User” role, and tunneling.

emm... no external ip need, and netops does not allowed to add it.. — Han.Oliver, Aug 10 '20 at 08:08

score -1 · Answer 4 · answered Nov 18 '20 at 22:34

-1

This is a permissions issue. You are trying to ssh into your vm thru google's IAP proxy. You don't have permissions to create the tunnel from your computer to the proxy server.

You need have the role "roles/iap.tunnelResourceAccessor" to ssh to your vm:

answered Nov 18 '20 at 22:34

Priyesh Patel

61
5

Does this support connections via a private IP address? – blong May 06 '21 at 21:10

IAP tunnel to VM

4 Answers4