Issue
I'm currently in the process of building up a cloud environment for an application deployment and running into issues with connecting to a running Node/Express REST API server via HTTP/S. I'm using GCE as my VM provider and to start off with am just trying to test out the API service from my personal machine. I'd like to avoid Docker Compose if possible for now, since I would like to build up to a Kubernetes deployment instead after getting accustomed to Docker.
Also, my VM firewall settings do allow HTTP and HTTPS requests into the machine.
I've been able to SSH into my instance using the external IP for the VM and set up a running docker container. I've then tried to publish the same ports 443 and 81 using the run command at XX.XXX.XX.XXX:81:81.
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
cf3f315dd947 repo/dev-api:latest "docker-entrypoint.s…" 3 minutes ago Up 3 minutes 0.0.0.0:81->81/tcp, 443/tcp api
I would like to do an HTTPS setup right after this but hope to get this HTTP sorted out first. My server runs correctly and listens at both ports 443 for HTTPS and 81 for HTTP (port 80 causes my VM to disconnect from SSH completely but that's a topic for another question). However, using my browser to connect directly to the external IP at either port 443 or 81, using any combination of https:// or http://, I still get a "This site can't be reached" error.
I've also tried pinging the VM - it works fine for a direct ping to the external IP but not with http:// prepended to the IP.
I'd really appreciate your help on this - thank you for your time.
Solution
Your issue is that traffic on ports 81 and 443 doesn't get to your VM.
You have to check two firewalls.
First check GCP Firewall and see if a proper rule allowing incominig traffic on ports 81 and 443 exists.
One is VM firewall. I'm taking an educated guess it's Linux based. By default most linux system don't block any incoming traffic.
If it doesn't you can create one with gcloud compute --project=my-proj-name firewall-rules create test-rule1 --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:81,tcp:443 --source-ranges=0.0.0.0/0 --target-tags=docker-test-vm (you have to add docker-test-vm network tag to your VM for it to work).
If you still can't connect check your VM's firewall. I assume it's Linux based.
To verify this run this command: sudo iptables -L; you should see something like this:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
This is default firewall configuration which means all traffic (on & out) is allowed.
You can read more about iptables here.
To further verify this you can run sudo netstat -tulpn | grep LISTEN to get a list of open ports (81 and 443 should be on the list).
If they're not check if your service is running correctly and listening on a given port. Try restarting it if it doesn't and repeat the last step.
You can have a look at similar my answers concerning troubleshooting lack of connectivity:
- Unable to connect to gcloud
- Python on GCE: connection failed because connected host has failed to respond
- Google Cloud Platform Why if I declare a firewall rule it doesn't work?
Answered By - Wojtek_B
