What is the gcloud command to allow http traffic on a VM instance? (It's not create firewall rule!)

Question

First, I wish to use purely gcloud commands to acheive my objective - NOT the GCE interface - so please don't provide answers using the GUI!

I created an image from a disk attached to a VM instance. In order to do so, I had to delete the instance, per the Google documentation for creating images. After that, I recreated my instance using the image.

Almost everything seems to have worked perfectly from that process except http and https traffic is now disabled in the instance! I can no longer browse to the website hosted on the VM. I also cannot get a response by pinging the domain anymore.

When I look in the GCE gui (just looking - not modifying anything!) I can see that the checkboxes for the "Allow http traffic" and "Allow https traffic" are not checked for the instance. It seems that must be related to my problem.

I checked the firewall rules on the server (ipTables), and on the Google network assiocated with the VM. There is nothing wrong with either of those (and the VM is definitely assiocated with that network). If I listen on port 80 using tcpdump on the server and I browse to my domain, I can see the requests are reaching server, so they aren't blocked by an incoming firewall. I also explictly restarted Apache, just be make sure that wasn't the problem.

So, is there something I need to do to unblock port 80 and 443 on an outgoing basis instead? Is this possibley an SELinux thing? Since the image should represent exactly what was on the disk it shouldn't be. It seems this must be on the GCE side...

What do those checkboxes actually do for the instance if they don't edit iptables on the server or the firewall rules on the Google network? What is the gcloud command to set those switches, or ideally specify that with an instance create command?

Answer 1

As per the details in this link: https://cloud.google.com/vpc/docs/special-configurations

"By selecting these checkboxes, the VPC network automatically creates a default-http or default-https rule that applies to all instances with either the http-server or https-server tags. Your new instance is also tagged with the appropriate tag depending your checkbox selection."

So ticking these boxes tags your server and creates the necessary firewall rule for you that will apply to all servers with that tag. From a gcloud perspective I guess you would need to ensure the tag is created and applied and the rule is also created for it to do what the console option does for you.

Answer 2

Solved. I don't entirely understand what is going on behind the scenes, but the solution to this requires the use of "tags" which associate firewall rules on the network with the VM instance. As far as I can see at this point, this is only pertinent for http and https. Other ports that are open on the network and the VM seem to work without this additional piece.

If you view your firewall rules, you'll probably see the port 80 and 443 rules have the tags "http-server" and "https-server" respectively. If they don't, you'll need to add those (or other tags of your choosing). It turns out the instance needs those tags added to it as well.

To add the tags to an existing VM instance, use this gcloud command:

gcloud compute instances add-tags [YOUR_INSTANCE_NAME] --tags http-server,https-server

To add the tags at the time of the instance creation, include that flag in your statement:

gcloud compute instances create [YOUR_INSTANCE_NAME] --tags http-server,https-server

If you look in the GCE gui, you'll see those "Allow http traffic" and "Allow https traffic" checkboxes are checked after doing that. Requests and responses then flow across ports 80 and 443 as expected.

Answer 3

One of the super helpful things the Google Cloud Console offers is a link at the bottom of the create for most resources for the REST API and command line to create the same resource. I am challenging myself to be able to do everything I can do in the console from SDK command line, so I use this often when I have a question like yours.

Having the same question as above, in the console I created a VM and selected "Allow HTTP traffic". Looking at the command line for this, you will see two commands. The first is the create command with the tag as noted above (http-server):

gcloud beta compute --project=XXXX instances create cgapperi-vm1 \
--zone=XXXXX --machine-type=f1-micro --subnet=default \
--tags=http-server --image=debian-10-buster-v20200413 \
--image-project=debian-cloud --boot-disk-size=10GB \
--boot-disk-type=pd-standard --boot-disk-device-name=cgapperi-vm1 \
--no-shielded-secure-boot --shielded-vtpm --shielded-integrity-monitoring \
--reservation-affinity=any

The second actually creates the firewall rule (default-allow-http) for you, and sets the target for requests to the http-server tag (--target-tags=http-server) on tcp port 80 (--rules=tcp:80) from incoming requests (--direction=INGRESS) from all sources (--source-ranges=0.0.0.0/0):

gcloud compute --project=XXXX firewall-rules create default-allow-http \
--direction=INGRESS --priority=1000 --network=default --action=ALLOW \
--rules=tcp:80 --source-ranges=0.0.0.0/0 --target-tags=http-server

I hope this is helpful for anyone else.

NOTE: I did reduce the output of the gcloud compute instance create to relevant bits in order to reduce the clutter.