'How to allow communication between private instances in GCE

Here is the use case:

  • External IPs are not allowed
  • Custom VPC exist for the GCP Project
  • Instance A has an application running
  • Instance B is considered as a client
  • SQL Instance C is on VPC too and has only internal IP

The goal is to let B send HTTP requests to A so that A send queries to the SQL Instance C.

What are the networking steps to be done in that case? ( only firewall issue since all instances are on the same network? and if so, what are the rules of firewall to be allowed? )

and WHY we can't ping other servers in GCP if they are on the same VPC?

Thank you

VPS firewall settings:

[
{
  "allowed": [
    {
      "IPProtocol": "tcp",
      "ports": [
        "22"
      ]
    },
    {
      "IPProtocol": "tcp",
      "ports": [
        "3389"
      ]
    }
  ],
  "description": "Allow incoming traffic on IAP",
  "direction": "INGRESS",
  "disabled": false,
  "kind": "compute#firewall",
  "logConfig": {
    "enable": false
  },
  "name": "fw-allow-iap",
  "network": "https://www.googleapis.com/compute/v1/projects//global/networks/NETWORK_HERE",
  "priority": 1000,
  "selfLink": "https://www.googleapis.com/compute/v1/projects//global/firewalls/fw-allow-iap",
  "sourceRanges": [
    "35.235.240.0/20"
  ]
},
{
  "allowed": [
    {
      "IPProtocol": "tcp",
      "ports": [
        "80"
      ]
    }
  ],
  "description": "",
  "direction": "INGRESS",
  "disabled": false,
  "kind": "compute#firewall",
  "logConfig": {
    "enable": false
  },
  "name": "NETWORK_HERE-allow-http",
  "network": "https://www.googleapis.com/compute/v1/projects//global/networks/NETWORK_HERE",
  "priority": 1000,
  "selfLink": "https://www.googleapis.com/compute/v1/projects//global/firewalls/NETWORK_HERE-allow-http",
  "sourceRanges": [
    "0.0.0.0/0"
  ],
  "targetTags": [
    "http-server"
  ]
},
{
  "allowed": [
    {
      "IPProtocol": "tcp",
      "ports": [
        "443"
      ]
    }
  ],
  "direction": "INGRESS",
  "disabled": false,
  "kind": "compute#firewall",
  "logConfig": {
    "enable": false
  },
  "name": "NETWORK_HERE-allow-https",
  "network": "https://www.googleapis.com/compute/v1/projects//global/networks/NETWORK_HERE",
  "priority": 1000,
  "selfLink": "https://www.googleapis.com/compute/v1/projects//global/firewalls/NETWORK_HERE-allow-https",
  "sourceRanges": [
    "0.0.0.0/0"
  ],
  "targetTags": [
    "https-server"
  ]
}
]

Instance B settings: (Instance A has the same settings as well)

{
"canIpForward": false,
"confidentialInstanceConfig": {
  "enableConfidentialCompute": false
},
"cpuPlatform": "Intel Haswell",
"deletionProtection": false,
"description": "",
"disks": [
  {
    "autoDelete": true,
    "boot": true,
    "deviceName": "instance-1",
    "diskSizeGb": "10",
    "guestOsFeatures": [
      {
        "type": "UEFI_COMPATIBLE"
      },
      {
        "type": "VIRTIO_SCSI_MULTIQUEUE"
      }
    ],
    "index": 0,
    "interface": "SCSI",
    "kind": "compute#attachedDisk",
    "licenses": [
      "projects/debian-cloud/global/licenses/debian-10-buster"
    ],
    "mode": "READ_WRITE",
    "source": "projects/PROJECT_ID/zones/europe-west1-b/disks/instance-1",
    "type": "PERSISTENT"
  }
],
"displayDevice": {
  "enableDisplay": false
},
"kind": "compute#instance",
"machineType": "projects/PROJECT_ID/zones/europe-west1-b/machineTypes/e2-micro",
"metadata": {
  "fingerprint": "S0UuYvDZ4Tg=",
  "kind": "compute#metadata"
},
"name": "instance-1",
"networkInterfaces": [
  {
    "kind": "compute#networkInterface",
    "name": "nic0",
    "network": "projects/PROJECT_ID/global/networks/NETWORK_HERE",
    "networkIP": "10.0.1.4",
    "subnetwork": "projects/PROJECT_ID/regions/europe-west1/subnetworks/SUBNET_HERE"
  }
],
"reservationAffinity": {
  "consumeReservationType": "ANY_RESERVATION"
},
"scheduling": {
  "automaticRestart": true,
  "onHostMaintenance": "MIGRATE",
  "preemptible": false
},
"selfLink": "projects/PROJECT_ID/zones/europe-west1-b/instances/instance-1",
"serviceAccounts": [
  {
    "email": "[email protected]",
    "scopes": [
      "https://www.googleapis.com/auth/devstorage.read_only",
      "https://www.googleapis.com/auth/logging.write",
      "https://www.googleapis.com/auth/monitoring.write",
      "https://www.googleapis.com/auth/servicecontrol",
      "https://www.googleapis.com/auth/service.management.readonly",
      "https://www.googleapis.com/auth/trace.append"
    ]
  }
],
"shieldedInstanceConfig": {
  "enableIntegrityMonitoring": true,
  "enableSecureBoot": false,
  "enableVtpm": true
},
"shieldedInstanceIntegrityPolicy": {
  "updateAutoLearnPolicy": true
},
"startRestricted": false,
"status": "RUNNING",
"tags": {
  "items": [
    "http-server",
    "https-server"
  ]
},
"zone": "projects/PROJECT_ID/zones/europe-west1-b"

}

networkinggoogle-cloud-platformfirewallgoogle-vpcprivate-network


Solution 1:[1]

From John Hanley's comment here

By default, a VPC is created with this rule (default-allow-icmp). Someone has deleted it. Create a rule allowing ICMP within your VPC. Next, figure out if you have an internal OS firewall and if that allows ICMP. Refer gcp documentation here

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Yoyo

Related Questions