I need to create a Google Compute Engine Virtual Machine instance with no VPC.
For the App environment that I am using, I need to use the Public IP Address directly such as DigitalOcean Droplet, so if I run ifconfig command should show the interface with the public IP Address.
Each Compute Engine instance belongs to at least one VPC network. The use case you are describing is likely impossible given GCP's software-defined network architecture.
You can't create a VM in GCP without it belonging to some VPC. Console gui won't allow you that - you just have to have at least one interface.
But - there's a workaround;
ssh to your VM and create additional user & password; add this user to sudo group: (adduser username; echo 'sudouser:userspass' | chpasswd; usermod -aG google-sudoers sudouser)
logout
enable serial-console interactive aceess
login using serial console
disable all network interfaces
This way you will have a VM with only a serial console access - however I didn't try this myself.
There is a way to do it(not the vpc part because it's not possible but to see the external IP directly on vm). steps are below:
Launch a VM in VPC first, while launching, in networking section, set the IP-Forwarding on. --> do it while creating, once the vm is created, you can't do that.
Reserve a External IP in your project and vpc.
In the VPC routing, create a route and for destination network x.x.x.x/32 (reserved Public IP) --> point the next hop as the VM.
In VM, create a Sub interface and assign the public IP directly using ip addr.
Note: This works only if you're able to reach to VPC, example: VPN to access the VM over public IP.
Related
About the Question
I want to create a hierarchy of servers : There is a bastian host in one VPC allowing ssh connection only from my local IP address. Then there is one more instance (Let's call it B) in another VPC and accepts connection only from bastian host . Now there are set of instances in third VPC (all of them accept ssh connections only from B.). So it is like :
local -----> bastian host -----> Instance B--------> All other instances.
In addition to this configuration I don't want to add private ssh key to any of the instance on cloud for security purpose. I only want to store the private key on my local machine that I will use to ssh into bastian host.
Approaches tried till now
Generated ssh-key pair
Added public key to the metadata section of the compute engine so that its available to all the instances in the project,
Tried to use ssh forwarding to implement this. But i am only able to reach Instance B and beyond that it is giving me permission denied(public key) error.
I want to know how can i implement this scenario such that I can reach instance B's terminal and then access all other instances as mentioned. Is it possible to do it only using one ssh-key pair? Any help would be greatly appreciated.
I have created a Memorystore instance with IP 10.190.50.3 (and this is in us-east1).
I have a shared VPC setup with name my-gcp and I also authorised the same when creating the Memorystore instance.
In shared VPC, I have a service project dev and I have a window machine(10.190.5.7). Inside that when I am trying to connect to memory store from that Windows machine, I am not able to connect to Memorystore instance.
I have also enabled egress traffic to 10.190.50.3 from all instance of my-gcp vpc. this vpc is setup in us-east4.
tracert, ping also not working form window machine for IP 10.190.50.3.
This Memorystore instance is created in host project of vpc.
I found the public documentation updated recently:
1.The connecting client must be on the same network and in the same region (different zone within same region will also ok) as your Cloud Memorystore for Redis instance.
2.If you are using a Shared VPC network across multiple projects, you can connect to a Redis instance that is deployed on shared VPC network on the host project. Connecting to a Redis instance that is deployed on shared VPC network in a service project is not supported.
Also here is the link on how to Connect to the Redis instance from a Compute Engine VM.
Unfortunately, accessing memorystore from service project is currently not supported in Shared VPC .
Now we can deploy GCP's memory store in the shared network using the private connection. Refer this link for more details.
Steps below:
Verify or establish a private services access connection for the network in the host project that you use to create your Redis instance.
Make sure the Service Networking API is enabled for both the host project and the service project.
Follow the steps from Creating a Redis instance on a VPC network, but make the following modifications:
a. Complete the optional step for setting up a private services access connection.
b. Use the Authorized VPC Network dropdown to select the Shared VPC network from the host project. It is listed under Shared VPC Networks.
I have created a Virtual Machine in Bluemix. I have installed NGINX web server on it. To access the web application that is deployed on NGINX, should I use a public IP address (for e.g. http://123.456.78.9) or is there a domain name associated with the instance (something like http://abcxyz.bluemix.net)?
When you launch any VM in cloud by default they should be not accessible from public internet unless you attach a public ip address to them.
Once you have attached a public ip address to your instance and configured the firewalls to allow incoming connections (http, ssh etc) you can update your DNS server to redirect traffic there.
AWS create a public FQDN at the time of launching the ec2 instances as
ec2-nn-nn-nn-nn-region-compute.com (where nn are ip address bits), not sure any similar thing with bluemix but it is less likely to have abcxyz.bluemix.
I am wondering if there is a way to setup a static IP address to a virtual machine (VirtualBox) hosted on a GCE VM instance (as a VM host).
I want to run two VirtualBox VMs on my GCE VM instance and I want to access them publicly.
Yes, you can do this, but you should also consider whether you want the additional overhead of running one virtual machine (VirtualBox) inside of another virtual machine (GCE VM). Running directly on GCE VMs would be more efficient and you can easily create/destroy/control these VMs via Google Cloud Platform APIs.
In addition, if you are already using an automation framework for your VirtualBox VMs such as Vagrant, note that Vagrant natively supports GCE VMs, so with a few changes to your configuration, you can use Vagrant to create/modify/connect/destroy your GCE VMs as easily as you would local VirtualBox VMs.
As an alternative to static external IPs, consider also using a domain name mapping to ephemeral external IP(s) of your instance(s). You can use Google Cloud DNS to manage your DNS mappings.
For more info on static external IPs, see the docs:
Static external IP addresses
If you need a static external IP address that is assigned to your project and persists until you explicitly release it, you can reserve a new static external IP address or promote an ephemeral external IP address to a static external IP address. Use gcloud compute with the addresses create command or make a PUT request to the appropriate regional Addresses collection to reserve a static external IP address.
Static external IP addresses assigned to instances are a regional resource and you must select the region where the IP address will belong to when you create the address.
[...]
Restrictions
Static external IP addresses can only be used by one resource at a time. You cannot assign a static external IP address to multiple resources.
There is no way to tell whether an IP address is static or ephemeral after it has been assigned to a resource, except to compare the IP address against the list of static external IP addresses reserved to that project. Use the addresses list sub-command to see a list of static external IP addresses available to the project.
Note that static external IPs also come with some cost:
IP address pricing
Type Price/Hour
Static IP address (assigned but unused) $0.01
Static IP address (assigned and in use) No charge
Ephemeral IP address (attached to instance or forwarding rule) No charge
I solved that issue to in 2 steps:
First delete the current possible ephimeral ip configuration:
gcloud compute instances delete-access-config <instance> --access-config-name "External NAT"
Where <instance> is the name of the instance you want to update, and External NAT is the name of the configuration, which probably has that value because of its the default one. And you can check it running this:
gcloud compute instances describe --zone=us-west1-a
And add the static one
If you want to bind an static address, probably to bind it to a DNS address, execute something like this
gcloud compute instances add-access-config <instance> --access-config-name="External NAT" --address=xxx.xxx.xxx.xxx
Remember to always append the --zone to any gcloud command to avoid any ambiguity. You can get the address from the valid addresses configuration you have in your project, which you can be gotten like this:
gcloud compute addresses list
Dont use the NAME but the ADDRESS. You should pick an address in the same zone of your instance. When the address be attached you will see that in the STATUS field of the last query it will say IN USE.
Et voila!
I get this error message when trying to connect with ssh.
Disconnected: No supported authentication methods available (server sent: publickey,gssapi-keyex,gssapi-with-mic)
I create a instances(cent os), generated my webserver.pem, puttygen imported that and output a ppk
I have seen that it may be a permissions issue with the ~/.ssh on the server but how can i change the permissions on the server without ssh access to the server? Is there another way to connect that i am not aware of? I am quite new to the amazon ec2 stuff.
I am on a windows system right now using putty.
My security groups were incorrect. I remade the instance with the correct security groups
The below steps worked for me.
Edit sshd_config file sudo vi /etc/ssh/sshd_config.
Search for PasswordAuthentication
If it is no, change it to yes. For me it was commented. If so, uncomment it.
Restart sshd service sudo systemctl restart sshd.service
Done.
These are the basic steps generally when working with a public cloud, trying to create a Virtual Machine and connect to it.
Create a Virtual Cloud Network/ Virtual Private Cloud
Create an Internet Gateway and ensure the Route Table for the VCN has the entry to route internet bound traffic (destination 0.0.0.0/0) to the internet gateway
Create a Virtual Machine (Linux in this case), ensure it has a public IP ( VM be created in public subnet ), download the key pair (for example was in PEM format)
Create a Security Group and ensure ingress rule from source : 0.0.0.0/0, protocol: TCP, destination port: 22
Associate the VM with the Security Group at VNIC level at the time of creating the VM or post creation.
From Oracle Cloud documentation -
Just having an internet gateway alone does not expose the instances in
the VCN's subnets directly to the internet. The following requirements
must also be met:
The internet gateway must be enabled (by default, the internet gateway
is enabled upon creation). The subnet must be public. The subnet
must have a route rule that directs traffic to the internet gateway.
The subnet must have security list rules that allow the traffic (and
each instance's firewall must allow the traffic). The instance must >
have a public IP address.
Now connecting to VM using putty, basically you are doing a :
ssh user#ip_address —i private_key
a. Use puttygen and load the private PEM key that you downloaded. Once successfully imported, save the private key (optionally with a passphrase) as PPK in your local machine ( for example "your_pvt_key_name.ppk" )
b. Use putty to connect to the VM's public IP. Ensure in putty when connecting to the VM that private key is provided for authentication. In the section Connection->SSH->Auth, browse for the "your_pvt_key_name.ppk" and then go back to the Session and "Open" the VM. If the VM is on public subnet with correct route table entry, you should see the login screen. In case the VM is not available on internet, it wont connect !
c. Once you see the login screen most important and which is the probable cause of the above error, login with correct user name, such as "ec2-user" in AWS or "opc" in OCI. Using an incorrect user name results in this error.
No supported authentication methods available (server sent: publickey,gssapi-keyex,gssapi-with-mic)