Reputation: 1124
Google Cloud firewall blocking connections when using port in address
I'm pretty new to how Google Cloud works, and I feel as if there's something obvious I'm missing here. I've installed TeamCity on an Ubuntu 18.04 VM, and it is running on port 8111. When hitting [ip]:8111 in the browser, I am not getting the interface--I get "35.196.21.62 refused to connect." I can ping [ip]:8111 from the command prompt on my windows machine, and it doesn't respond there either. However, I can ping [ip] without the port and it responds just fine.
As far as I can tell, my firewall should be set up to allow everything under the sun to connect to the box. I've created the following identical rule for both egress and ingress.
Lastly, the firewall rules are showing up on the instance, so they are being applied.
It's also the problem is on the Linux box. I've confirmed the service is running, but I'm not sure what else to check--there is no browser because there is no GUI. "ufw status" confirms the firewall is off.
What can I do to open that port so I can access it in my browser?
Upvotes: 0
Views: 1259
Answers (2)
Reputation: 15276
Based on the description of the problem, we ran a local test. When an application runs on a Linux machine that serves as an endpoint for network (TCP/IP) traffic, we will find that it listens on a port number. A client that wishes to connect to this application must know the host/IP address of the host on which the machine is running as well as the port on which the application is running.
In our puzzle described in this problem, we were attempting to connect to a GCP hosted application that we believed was listening on port 8111. However, the error message we were getting was "Connection refused". My experience is that this error indicates that the network request from the client is getting all the way through to the host but the host has no knowledge of an application listening on that port.
One easy way to list all the ports in use is to use the command nestat. This has many options but the one I prefer is nestat -an which lists all network connections (including the ones in listening mode) and prints numeric IP addresses as opposed to performing hostname resolution. For full details of nestat, see netstat. An alternative to nestat is the command lsof but this is not as commonly used and may need more setup.
After running nestat, we found that no local application on the host was actively listening on port 8111 which fully explained why an internet based client could not connect to the service. The first pass at resolution will be examine the nature and configuration of the application being run on the host to determine how to configure it to actively listen on the desired port. Until and unless netstat shows that the application is locally listening, there is no value/merit in attempting to connect from the Internet.
Upvotes: 1
Reputation: 81454
When hitting [ip]:8111 in the browser, I am not getting the interface--I get "35.196.21.62 refused to connect."
You need to create a firewall rule to allow traffic to port 8111.
I can ping [ip]:8111 from the command prompt on my windows machine, and it doesn't respond there either.
The ping command does not use TCP or UDP, instead it uses ICMP. ICMP does not have have port numbers. ICMP is IP Protocol 1.
However, I can ping [ip] without the port and it responds just fine.
This means that you have a firewall rule allowing ICMP traffic.
Upvotes: 0
Related Questions
- Google Cloud Firewall Exposing Port Docker
- GCP firewall rule for tcp port are not working
- Google cloud VM ports won't open
- How to allow a specific port in Google Cloud Platform instance for the specific URL/IP
- Google Cloud Firewall: Port is blocked
- Any idea why this port is not reachable from another GCP instance?
- Google stackdriver default port blocked by firewall rule
- GCP Firewall Issue - Unable to access specific port over public internet
- Port 443 is close in Google Cloud Instance
- Google Cloud Platform Firewall Rules PORT