Access user VMs

This page describes how to access user VMs from a host with a VPN tunnel connection.

Hosts in the remote network with a VPN tunnel connection to a GDC organization can access the primary interface of organization user VMs, assuming egress and ingress traffic to the project containing the user VM is allowed.

Before you begin

To configure ingress and egress traffic for a VPN tunnel, you must have the following:

  • An existing VPN tunnel. For more information, see Create a VPN tunnel.
  • Have enabled egress and ingress traffic to the project containing the VM. For more information, see Control ingress and egress traffic.

  • The necessary identity and access roles:

    • VPN Admin: has read and write permissions on all VPN-related resources. Ask your Organization IAM Admin to grant you the VPN Admin (vpn-admin) role.
    • VPN Viewer: has read permissions on all VPN-related resources. Ask your Organization IAM Admin to grant you the VPN Viewer (vpn-viewer) role.
    • Project VirtualMachine Admin: manages VMs in the project namespace. Ask your Organization IAM Admin to grant you the Project VirtualMachine Admin (project-vm-admin) role.
    • For more information, see Role definitions.

Access the user VM

Follow these steps to access the primary interface of the user VM:

  1. Get the interfaces of the user VM by viewing its respective VirtualMachine object in the org admin cluster:

    kubectl --kubeconfig MANAGEMENT_API_SERVER get -n PROJECT_NAME gvm VM_NAME -ojson | jq '.status.network'

    Replace the following:

    • MANAGEMENT_API_SERVER: the zonal API server's kubeconfig path. If you have not yet generated a kubeconfig file for the API server in your targeted zone, see Sign in for details.
    • VM_NAME: the name of the VirtualMachine object.

    The output looks like the following example:

      [
    {
      "ipAddresses": [
        "172.16.19.189"
      ],
      "macAddress": "8a:fc:81:0b:41:dc",
      "name": "eth0"
    },
    {
      "ipAddresses": [
        "172.20.128.15/21"
      ],
      "macAddress": "56:1b:07:85:50:b3",
      "name": "eth1"
    }
  ]
  ```

  2. Hosts in the remote network with a VPN tunnel connection to a GDC organization can access user VMs through the primary eth0 interface:

    /home/ubuntu# ssh -i ~/vm-access user@172.16.19.189

    Note, for SSH access details including retrieving a key for a VM, see Connect to a VM.