In GCP how can we check if the compute engines are not accessible on port 8080. Is there any API where we can check and validate this scenario
Asked
Active
Viewed 596 times
1
-
SSH into your instance and run this command to get an overview: netstat -pltn – dany L Dec 28 '21 at 15:45
-
You can also use port scanning https://linuxhint.com/port_scan_linux/ – dany L Dec 28 '21 at 15:50
-
@danyL Thanks for the reply....can we get these info from cloud asset inventory – Alex Man Dec 28 '21 at 17:21
-
Do you want to use Connectivity test from Network Intelligence Center? https://cloud.google.com/network-intelligence-center/docs/connectivity-tests/reference/networkmanagement/rest/v1/projects.locations.global.connectivityTests – guillaume blaquiere Dec 28 '21 at 17:34
-
You can perform a telnet to the machine IP:PORT or use connectivity test. – guillaume blaquiere Dec 28 '21 at 17:39
-
@guillaumeblaquiere but that requires me to login to the instance to check that right which will be a slow process .....since my list is very big – Alex Man Dec 28 '21 at 17:41
-
Is the port 8080 exposed externally? Why do you need to log into the VM to check the port exposure? – guillaume blaquiere Dec 28 '21 at 18:53
-
@guillaumeblaquiere Then how an we check that.... – Alex Man Dec 28 '21 at 19:13
-
Let me know from where do you want to test the accessibility. From public internet? Do you have a public IP, do you have a load balancer ? – guillaume blaquiere Dec 28 '21 at 20:02
-
Not sure from cloud asset but there is another product that can analyze http traffic https://cloud.google.com/security-command-center/docs/concepts-vulnerabilities-findings#firewall-findings – dany L Dec 28 '21 at 20:57
1 Answers
1
There are many ways of doing what you want - however there are a few factors that I don't know so this answer may sound a bit generic in a few places.
- Scenario 1 - instances have to be accessible from the Internet
- check if the firewall settings allow incoming traffic to your instances on port 8080 (you can use cloud console or
gcloud). - if there isn't such a rule you have to create one - it's best to label your instances and create a proper rule.
- now you can actually check if there's anything running on port 8080 - if this is a web app / API you can just use
curl host.ip:port 2> errors.log.
You mentioned you have a lot of instances to check then some script would be handy - have a look at this SO answer how to create one that will read the addressess from the file.
If you want to do it like a pro use Ansible - here's a useful answer that will be helpful for this.
- Scenario 2 - instances are not available from the Internet
- you need to run the mentioned instance checking script from within your VPC your instances are in. Create a new VM for this purpose and run the script from there. If your instances are spread across many VPC's you need to create a VM in each of them and run the script.
And you can automate this with Ansible - even create/test instances & delete VM's. This may sound like an overkill but everything on how often you need to run those tests and on the number of VM's you need to test.
Also there's a question of testing if the ports are open from inside the insances.
if they are running Linux then dany L's suggestion is a good one. But since you have to repeat that many-many times Ansible may again be a good way to do this - have a look at another answer describing how to run a command on the target host.
if they are running Windows then it's more complicated but you can use
netsh firewallcommand - and again - using Ansible is possible.
Wojtek_B
- 4,245
- 1
- 7
- 21