CODEWITHSUNDEEP
google-cloud-platform
Sahil Kamboj
Sahil Kamboj

Reputation: 418

Connection via Cloud Identity-Aware Proxy Failed

enter image description hereI am getting the following disconnection issues in the GCP Jupiter notebook.

error code: 4010 and error code: 1006

Can you please suggest some solution?

enter image description here

Upvotes: 8

Views: 18895

Answers (4)

Aditya
Aditya

Reputation: 458

Create a firewall for port 22 and add this IP 35.235.240.0/20 attach it to all VM so you will able to establish connection

Upvotes: 0

subair porora
subair porora

Reputation: 1

For me the error 1006 was related to system Time. I had changed the system time manually to another time zone. SSH worked when system time was sy

Upvotes: 0

mebius99
mebius99

Reputation: 2605

As part of the IAP configuration steps, you should create a firewall rule that allows ingress traffic to the SSH port from the IAP address range:

GCP Console => VPC network => Firewall rules => Create Firewall Rule
  Name:     allow-ingress-from-iap
  Direction of traffic:     Ingress
  Target:   All instances in the network 
  Source filter:    IP ranges 
  Source IP ranges:     35.235.240.0/20 
  Protocols and ports:  select TCP and enter 22 to allow SSH

Identity-Aware Proxy > Doc > Setting up IAP for Compute Engine

The error 1006 appears in the GCP Console UI after 1 hour of inactivity of the SSH session via IAP with VMs with Internal IP only, and this is a session timeout on the Google side.

Upvotes: 8

Tibebes. M
Tibebes. M

Reputation: 7538

As @mebius99 has mentioned, IAP (Identity-Aware Proxy) requests come from the IP address range 35.235.240.0/20.

Your network firewall must allow these requests to be able to SSH through IAP.

One way to do that (create a firewall-rule) is to run gcloud compute firewall-rules create command.

To do that, first open the cloud shell on the Google cloud console, enter image description here

Then once the cloud shell opens up, run the following:

gcloud compute firewall-rules create ssh-ingress-from-iap --allow=tcp:22 --source-ranges 35.235.240.0/20 --network [network-name]

Replace [network-name] with your network name (the default VPC network is named: default)

If the above solution doesn't work (or have a similar firewall rule in place already), consider checking the network tags (on the firewall-rules and the VM). It maybe the case that your firewall-rule is allowing the requests to only certain instances that has some tags and the instance you're trying to SSH into doesn't.

Upvotes: 5

Related Questions