What is the gcloud command to allow http traffic on a VM instance? (It's not create firewall rule!)

BuvinJ picture BuvinJ · Feb 24, 2016 · Viewed 7.6k times · Source

First, I wish to use purely gcloud commands to acheive my objective - NOT the GCE interface - so please don't provide answers using the GUI!

I created an image from a disk attached to a VM instance. In order to do so, I had to delete the instance, per the Google documentation for creating images. After that, I recreated my instance using the image.

Almost everything seems to have worked perfectly from that process except http and https traffic is now disabled in the instance! I can no longer browse to the website hosted on the VM. I also cannot get a response by pinging the domain anymore.

When I look in the GCE gui (just looking - not modifying anything!) I can see that the checkboxes for the "Allow http traffic" and "Allow https traffic" are not checked for the instance. It seems that must be related to my problem.

I checked the firewall rules on the server (ipTables), and on the Google network assiocated with the VM. There is nothing wrong with either of those (and the VM is definitely assiocated with that network). If I listen on port 80 using tcpdump on the server and I browse to my domain, I can see the requests are reaching server, so they aren't blocked by an incoming firewall. I also explictly restarted Apache, just be make sure that wasn't the problem.

So, is there something I need to do to unblock port 80 and 443 on an outgoing basis instead? Is this possibley an SELinux thing? Since the image should represent exactly what was on the disk it shouldn't be. It seems this must be on the GCE side...

What do those checkboxes actually do for the instance if they don't edit iptables on the server or the firewall rules on the Google network? What is the gcloud command to set those switches, or ideally specify that with an instance create command?

Answer

BuvinJ picture BuvinJ · Feb 24, 2016

Solved. I don't entirely understand what is going on behind the scenes, but the solution to this requires the use of "tags" which associate firewall rules on the network with the VM instance. As far as I can see at this point, this is only pertinent for http and https. Other ports that are open on the network and the VM seem to work without this additional piece.

If you view your firewall rules, you'll probably see the port 80 and 443 rules have the tags "http-server" and "https-server" respectively. If they don't, you'll need to add those (or other tags of your choosing). It turns out the instance needs those tags added to it as well.

To add the tags to an existing VM instance, use this gcloud command:

gcloud compute instances add-tags [YOUR_INSTANCE_NAME] --tags http-server,https-server

To add the tags at the time of the instance creation, include that flag in your statement:

gcloud compute instances create [YOUR_INSTANCE_NAME] --tags http-server,https-server

If you look in the GCE gui, you'll see those "Allow http traffic" and "Allow https traffic" checkboxes are checked after doing that. Requests and responses then flow across ports 80 and 443 as expected.