IAP tunnel to VM

Question

I’ve a question regarding Compute VM and its associated privileges. I have ‘Owner’ privileges at Project level. I created a VM but was not able to assign an external IP address to it. Upon referring to google cloud docs, it appears that I’ll still be able to connect to this VM using VPN or IAP. Upon clicking the SSH link next to the VM, I see that it uses a Cloud-IAP tunnel but the connection fails.

Here is the error message External IP address was not found; defaulting to using IAP tunneling.

ERROR: (gcloud.compute.start-iap-tunnel) Error while connecting [4003: u'failed to connect to backend'].
ssh_exchange_identification: Connection closed by remote host
ERROR: (gcloud.compute.ssh) [/usr/bin/ssh] exited with return code [255].

How do I go about connecting to this VM?

Appreciate your help with this

Edit your question and include the firewall rule for SSH. If you don't have one, create one. However, please be more detailed on error messages. If you have Project Owner that you can assign an external IP address, otherwise you might be using a different account that does not. — John Hanley, Sep 21 '19 at 03:14
Related (with a focus on Ansible, but a lot of transferable information): https://stackoverflow.com/q/58996471/320399 — blong, May 18 '21 at 15:38

score 9 · Answer 1 · answered Nov 17 '19 at 11:11

9

Firewall rules that are configured to allow access from Cloud IAP's TCP forwarding netblock, 35.235.240.0/20, on all ports of your machine. This ensures that connections are allowed from Cloud IAP's TCP forwarding IP addresses to the TCP port of the admin service on your resource. Note that you might not need to adjust your firewall rules if the default-allow-ssh and default-allow-rdp default rules are applied to ports used for SSH and RDP.

As probably you already have default-allow-ssh instead of trying:

gcloud compute start-iap-tunnel stage-es-kibana 5601 --local-host-port=localhost:5601

jump to port via extra ssh layer:

gcloud compute ssh stage-es-kibana -- -N -L 5601:localhost:5601

or open Google Firewall between host/port stage-es-kibana:5601 and subnet 35.235.240.0/20.

answered Nov 17 '19 at 11:11

gavenkoa

45,285
19
251
303

2

The key part here is adding the firewall rule specified in https://cloud.google.com/iap/docs/using-tcp-forwarding#tunneling_ssh_connections – mafrosis Jul 10 '20 at 05:50
1

@mafrosis In case if you want tunelling to actually work as stated by `gcloud` CLI (like RDP, etc). But it is still possible to pass port via standard SSH (as you'll probably already have rule `default-allow-ssh `) without adding other firewall rules, keeping only port `22` open to subnet `35.235.240.0/20`. – gavenkoa Jul 10 '20 at 07:34
In other words as long you are able SSH connection you can tunnel any port via SSH tunnel (option `-L`) avoiding proprietary firewall rules! In any case IAP is not for bulk transfer and **parallel connection are forbidden** from the same OS as they use shared sql lite DB without proper locks, so it is only rescue shell connections, not for proper VPN. – gavenkoa Jul 10 '20 at 07:39
1

Yes agreed. I think for people arriving to this question via Google it's useful to highlight the specific firewall documentation for IAP – mafrosis Jul 10 '20 at 09:30

score 5 · Answer 2 · answered Nov 18 '20 at 22:34

5

This is a permissions issue. You are trying to ssh into your vm thru google's IAP proxy. You don't have permissions to create the tunnel from your computer to the proxy server.

You need have the role "roles/iap.tunnelResourceAccessor" to ssh to your vm:

answered Nov 18 '20 at 22:34

Priyesh Patel

166
2
6

Does this support connections via a private IP address? – blong May 06 '21 at 21:10
2

Even though the question asked made it clear that the user account in use had owner privileges which includes 'iap.tunnelResourceAccessor' permissions, I think this answer is still helpful for people with the same kind error message. In my case I was using a non-organizational user account which had only editor permissions. So I was lacking the 'iap.tunnelResourceAccessor' permission and received the same error message as above. – p13rr0m Jul 05 '21 at 17:09

score 2 · Answer 3 · answered Feb 20 '20 at 07:36

2

It seems that the GCP CE requires to initialize SSH and other services after its RUNNING status. I used a workaround by adding a sleep (60 sec) command, after starting the VM and before SSH using the IAP tunnel.

answered Feb 20 '20 at 07:36

Jijo John

1,368
2
17
31

score 1 · Answer 4 · answered Apr 22 '22 at 12:39

1

In my case I solved or worked around it by omitting the --tunnel-through-iap parameter that is passed to gcloud compute ssh.

answered Apr 22 '22 at 12:39

Chris Stryczynski

30,145
48
175
286

score 0 · Answer 5 · answered Sep 29 '22 at 07:28

0

try open Google Firewall subnet 35.235.240.0/20

answered Sep 29 '22 at 07:28

Kasyful Anwar

355
2
3

IAP tunnel to VM

5 Answers5