IAP tunnel to VM

Y

6

16

I’ve a question regarding Compute VM and its associated privileges. I have ‘Owner’ privileges at Project level. I created a VM but was not able to assign an external IP address to it. Upon referring to google cloud docs, it appears that I’ll still be able to connect to this VM using VPN or IAP. Upon clicking the SSH link next to the VM, I see that it uses a Cloud-IAP tunnel but the connection fails.

Here is the error message External IP address was not found; defaulting to using IAP tunneling.

ERROR: (gcloud.compute.start-iap-tunnel) Error while connecting [4003: u'failed to connect to backend'].
ssh_exchange_identification: Connection closed by remote host
ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].

How do I go about connecting to this VM?

Appreciate your help with this

Yance answered 20/9, 2019 at 20:21 Comment(2)

Edit your question and include the firewall rule for SSH. If you don't have one, create one. However, please be more detailed on error messages. If you have Project Owner that you can assign an external IP address, otherwise you might be using a different account that does not. – Charlton 21/9, 2019 at 3:14

Related (with a focus on Ansible, but a lot of transferable information): https://mcmap.net/q/750453/-ansible-gcp-iap-tunnel/320399 – Haar 18/5, 2021 at 15:38

B

10

Firewall rules that are configured to allow access from Cloud IAP's TCP forwarding netblock, 35.235.240.0/20, on all ports of your machine. This ensures that connections are allowed from Cloud IAP's TCP forwarding IP addresses to the TCP port of the admin service on your resource. Note that you might not need to adjust your firewall rules if the default-allow-ssh and default-allow-rdp default rules are applied to ports used for SSH and RDP.

As probably you already have default-allow-ssh instead of trying:

gcloud compute start-iap-tunnel stage-es-kibana 5601 --local-host-port=localhost:5601

jump to port via extra ssh layer:

gcloud compute ssh stage-es-kibana -- -N -L 5601:localhost:5601

or open Google Firewall between host/port stage-es-kibana:5601 and subnet 35.235.240.0/20.

Bonbon answered 17/11, 2019 at 11:11 Comment(4)

The key part here is adding the firewall rule specified in cloud.google.com/iap/docs/… – Overdye 10/7, 2020 at 5:50

@Overdye In case if you want tunelling to actually work as stated by gcloud CLI (like RDP, etc). But it is still possible to pass port via standard SSH (as you'll probably already have rule default-allow-ssh ) without adding other firewall rules, keeping only port 22 open to subnet 35.235.240.0/20. – Bonbon 10/7, 2020 at 7:34

In other words as long you are able SSH connection you can tunnel any port via SSH tunnel (option -L) avoiding proprietary firewall rules! In any case IAP is not for bulk transfer and parallel connection are forbidden from the same OS as they use shared sql lite DB without proper locks, so it is only rescue shell connections, not for proper VPN. – Bonbon 10/7, 2020 at 7:39

Yes agreed. I think for people arriving to this question via Google it's useful to highlight the specific firewall documentation for IAP – Overdye 10/7, 2020 at 9:30

P

5

This is a permissions issue. You are trying to ssh into your vm thru google's IAP proxy. You don't have permissions to create the tunnel from your computer to the proxy server.

You need have the role "roles/iap.tunnelResourceAccessor" to ssh to your vm:

Phalange answered 18/11, 2020 at 22:34 Comment(2)

Does this support connections via a private IP address? – Haar 6/5, 2021 at 21:10

Even though the question asked made it clear that the user account in use had owner privileges which includes 'iap.tunnelResourceAccessor' permissions, I think this answer is still helpful for people with the same kind error message. In my case I was using a non-organizational user account which had only editor permissions. So I was lacking the 'iap.tunnelResourceAccessor' permission and received the same error message as above. – Flossie 5/7, 2021 at 17:9

G

2

It seems that the GCP CE requires to initialize SSH and other services after its RUNNING status. I used a workaround by adding a sleep (60 sec) command, after starting the VM and before SSH using the IAP tunnel.

Godard answered 20/2, 2020 at 7:36 Comment(0)

P

0

In my case I solved or worked around it by omitting the --tunnel-through-iap parameter that is passed to gcloud compute ssh.

Prevaricator answered 22/4, 2022 at 12:39 Comment(1)

But the whole point here was to use IAP… – Evapotranspiration 20/4 at 16:13

K

0

try open Google Firewall subnet 35.235.240.0/20

Kreutzer answered 29/9, 2022 at 7:28 Comment(0)

Q

0

A related (edge) case which may raise this error: The VM is using a VPC network (inheritted from another project) and the corresponding Firewall Rule to allow IAP has targetTags configured like this.

$ gcloud compute firewall-rules --project=cloud-infra  describe allow-ssh-ingress-from-iap
allowed:
...
...
sourceRanges:
- 35.235.240.0/20
targetTags:
- iap
- remote-cloud-builder

So in order to use it in my Compute Engine VM I had to set the following Network Tag.

$ gcloud compute instances add-tags "workloads-instance" --tags=iap --project=cloud-workloads --zone="us-central1-c"

After this change, I managed to use gcloud compute ssh with --tunnel-through-iap.

Quintet answered 29/9, 2023 at 13:23 Comment(0)

Recommended topics

Hot tags