This page describes special networking configurations of Compute Engine virtual machine (VM) instances, such as the following:
- Setting up an external HTTP connection to a VM
- Configuring a VM as a network proxy
Setting up an external HTTP connection to a VM
The default firewall rules do not allow HTTP or HTTPS connections to your instances. However, it is fairly simple to add a rule that does allow them. Note that a VM must have an external (static or ephemeral) IP address before it can receive traffic from outside its Virtual Private Cloud (VPC) network.
You can add a firewall rule to allow HTTP or HTTPS connections using the
gcloud
command-line tool or the
Google Cloud Console
. You can also add a
firewall rule through the
API.
You can use the Cloud Console to create an overall firewall rule for all instances on the VPC network, or you can allow individual instances access to HTTP and HTTPS connections by selecting the respective option when you create that instance. The latter option is described first, because it provides more control over individual instances.
- In the Cloud Console, go to the VM instances page.
- Click Create instance.
- In the Firewall section, select Allow HTTP traffic and Allow HTTPS traffic.
- Click Create to create the instance.
By selecting these checkboxes, the VPC network automatically
creates a default-http
or default-https
rule that
applies to all instances with either the http-server
or
https-server
tags. Your new instance is also tagged with the
appropriate tag depending your checkbox selection.
If you already have existing default-http
and
default-https
firewall rules, you can apply the firewall rule
to existing instances by enabling the Allow HTTP or
Allow HTTPS options on the instance's details page.
- Go to the VM instances page.
- Click the name of the desired instance.
- Click Edit button at the top of the page.
- Scroll down to the Firewalls section.
- Check the Allow HTTP or Allow HTTPS options under your desired VPC network.
- Click Save.
In a similar manner, you can also disable external HTTP or HTTPS access for a VM by unchecking one or both checkboxes.
By allowing specific instances to be tagged for HTTP and HTTPS traffic rather than creating an overall firewall rule that applies to all instances, Google Cloud limits the possible security implications of allowing external traffic to all virtual machines in a project. However, if you would like to create a firewall rule that allows HTTP or HTTPS traffic to all virtual machine instances, you can create your own firewall rule:
- Go to the VPC networks page.
- Select the VPC network where you would to apply the firewall rule.
- Under the Firewall rules section, click Add firewall rule.
- Name your firewall rule, and add
tcp:80
in the Protocols & Ports box, ortcp:443
for HTTPS traffic. - Click Create.
If you want to allow HTTP and HTTPS traffic to all virtual machines in a project, the following command creates a firewall that allows incoming HTTP and HTTPS requests from anywhere to any instance connected to this VPC network.
gcloud compute firewall-rules create FIREWALL_RULE --allow tcp:80,tcp:443
**Example**
gcloud compute firewall-rules create sample-http \ --description "Incoming http and https allowed." \ --allow tcp:80,tcp:443
gcloud compute firewall-rules describe sample-http
allowed:
- IPProtocol: tcp
ports:
- '80'
- '443'
creationTimestamp: '2014-06-13T13:27:12.206-07:00'
id: '5057780722612413546'
kind: compute#firewall
name: sample-http
network: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/networks/default
selfLink: https://www.googleapis.com/compute/v1/projects/[PROJECT_ID]/global/firewalls/samplehttp
sourceRanges:
- 0.0.0.0/0
Configuring a VM as a network proxy
You can design your VPC network so that only one instance has external access, and all other instances in the VPC network use that instance as a proxy server to the outside world. This is useful if you want to control access into or out of your VPC network, or reduce the cost of paying for multiple external IP addresses.
This particular example discusses how to set up a network proxy on VM instances that use a Debian image. It uses a gateway instance as a Squid proxy server but this is only one way of setting up a proxy server.
To set up a Squid proxy server:
- Set up one instance with an
external (static or ephemeral) IP address.
For this example, name your instance
gateway-instance
. - Set up one or more instances without external IP addresses by specifying
gcloud compute instances create ... --no-address
. For this example, call this instancehidden-instance
. - Learn how to connect from one instance to another because you will not be able to connect directly into your internal-only instances.
Add a firewall to allow tcp traffic on port 3128:
gcloud compute firewall-rules create [FIREWALL_RULE] --network [NETWORK] --allow tcp:3128
Install Squid on
gateway-instance
, and configure it to allow access from any machines on the VPC network (valid subnet IP addresses). This assumes thatgateway-instance
andhidden-instance
are both connected to the same VPC network, which enables them to connect to each other.user@gateway-instance:~$ sudo apt-get install squid3
Enable any machine on the local network to use the Squid3 server. The following
sed
commands uncomment and enable theacl localnet src
entries in the Squid config files for local networks and machines.user@gateway-instance:~$ sudo sed -i 's:#\(http_access allow localnet\):\1:' /etc/squid/squid.conf
user@gateway-instance:~$ sudo sed -i 's:#\(http_access deny to_localhost\):\1:' /etc/squid/squid.conf
user@gateway-instance:~$ sudo sed -i 's:#\(acl localnet src 10.0.0.0/8.*\):\1:' /etc/squid/squid.conf
user@gateway-instance:~$ sudo sed -i 's:#\(acl localnet src 172.16.0.0/12.*\):\1:' /etc/squid/squid.conf
user@gateway-instance:~$ sudo sed -i 's:#\(acl localnet src 192.168.0.0/16.*\):\1:' /etc/squid/squid.conf
user@gateway-instance:~$ sudo sed -i 's:#\(acl localnet src fc00\:\:/7.*\):\1:' /etc/squid/squid.conf
user@gateway-instance:~$ sudo sed -i 's:#\(acl localnet src fe80\:\:/10.*\):\1:' /etc/squid/squid.conf
# Prevent proxy access to metadata server user@gateway-instance:~$ sudo tee -a /etc/squid/squid.conf <<'EOF' acl to_metadata dst 169.254.169.254 http_access deny to_metadata EOF
# Start Squid user@gateway:~$ sudo service squid start
Configure
hidden-instance
to usegateway-instance
as its proxy. Use ssh to connect intohidden-instance
and define its proxy URL addresses to point togateway-instance
on port 3128 (the default Squid configuration) as shown here:user@gateway-instance:~$ ssh hidden-instance
user@hidden-instance:~$ sudo -s
root@hidden-instance:~# echo "export http_proxy=\"http://gateway-instance.$(dnsdomainname):3128\"" >> /etc/profile.d/proxy.sh
root@hidden-instance:~# echo "export https_proxy=\"http://gateway-instance.$(dnsdomainname):3128\"" >> /etc/profile.d/proxy.sh
root@hidden-instance:~# echo "export ftp_proxy=\"http://gateway-instance.$(dnsdomainname):3128\"" >> /etc/profile.d/proxy.sh
root@hidden-instance:~# echo "export no_proxy=169.254.169.254,metadata,metadata.google.internal" >> /etc/profile.d/proxy.sh
Update sudoers to pass these env variables through.
root@hidden-instance:~# cp /etc/sudoers /tmp/sudoers.new
root@hidden-instance:~# chmod 640 /tmp/sudoers.new
root@hidden-instance:~# echo "Defaults env_keep += \"ftp_proxy http_proxy https_proxy no_proxy"\" >>/tmp/sudoers.new
root@hidden-instance:~# chmod 440 /tmp/sudoers.new
root@hidden-instance:~# visudo -c -f /tmp/sudoers.new && cp /tmp/sudoers.new /etc/sudoers
Exit
sudo
, load the variables, and runapt-get
onhidden-instance
. It should now work using gateway as a proxy. If gateway were not serving as a proxy,apt-get
would not work becausehidden-instance
has no direct connection to the Internet.root@hidden-instance:~# exit
user@hidden-instance:~$ source ~/.profile
user@hidden-instance:~$ sudo apt-get update
Configuring a VM as a VPN gateway
This content has been deprecated and removed. For a managed VPN solution, see the Cloud VPN documentation.
Configuring a VM as a NAT gateway
This content has been deprecated and removed. For a managed NAT solution, see the Cloud NAT documentation.
Building high availability and high bandwidth NAT gateways
This content has been deprecated and removed. For a managed NAT solution, see the Cloud NAT documentation.
What's next
- To learn more about VPC networks, see VPC network overview.
- To create, modify, or delete VPC networks, see Using VPC networks.