Access HTTP servers running on a workstation

By default you can access HTTP ports 80 and ports 1024 to 65535 on your workstations from your browser. You can restrict the ports you can access on your workstations by setting allowedPorts in the workstation configuration.

Running workstations have a host property that you can use to connect using HTTP from a remote browser. You can find the host property by getting details for a running workstation through the API, Google Cloud CLI, the Google Cloud console, or by printing the $WEB_HOST environment variable, which is automatically set inside your workstation. The URL connects on port 80 by default.

Default workstation URL format

The host property URL uses the following format by default:

https://PORT-WORKSTATION_NAME.CLUSTER_ID.cloudworkstations.dev

The placeholders represent the following:

  • PORT: the port number, which is port 80 by default.
  • WORKSTATION_NAME: the workstation name.
  • CLUSTER_ID: the randomly generated cluster identifier
  • cloudworkstations.dev: the default domain name for a workstation.

    URLs for custom domains use a different format. For more about setting up custom domains in Cloud Workstations, see Set up custom domains for Cloud Workstations.

Connect to a different port by changing the URL

In order to connect on a different port, specify a different port number as a prefix. For example, the following URL connects to port 9900:

https://9900-myworkstation.cluster-12345abcde.cloudworkstations.dev

In this example, note the following:

  • 9900: represents the port number.
  • myworkstation: represents the workstation ID.
  • cluster-12345abcde: represents the cluster identifier.
  • cloudworkstations.dev: represents the default domain name for a workstation.

These URLs require user authentication. To access these URLs, you must be logged in and must have the Cloud Workstations User IAM role, roles/workstations.user, or the workstations.workstations.use permission.

Connecting to an HTTP app from Google Cloud console

You can connect to an HTTP app running on a workstation from the Google Cloud console.

For any running workstation that you have permissions to use, you see a Launch button. By default, this button connects on port 80. You can click the arrow_drop_downexpander arrow next to Launch to see alternative connecting options. The Connect to web app on port option lets you specify a different port to connect to.

Connecting to an HTTP app from the base editor

To connect to an app running on your workstation from the base editor, follow either of these instructions:

  • Click localhost links in the terminal. The base editor automatically redirects localhost links to the right URLs.

    1. To open a terminal window, click menu Menu > Terminal > New Terminal. Alternatively, press Control+Shift+` (or Command+Shift+` on macOS).

    2. At the command prompt, run the following command to display the localhost link:

      echo http://localhost:PORT
      

      Replace PORT with a port number such as 80 or 8080.

    3. Hold Control (or Command on macOS) and then click the localhost link.
      This opens PORT-WORKSTATION-HOSTNAME in your browser.

  • Use the browser window: navigate to https://PORT-WORKSTATION-HOSTNAME, where PORT is the port number and WORKSTATION-HOSTNAME is your workstation hostname.

Restricting port access for a workstation

To restrict the ports that can be accessed on a workstations, set the allowedPorts in the workstation configurations.

To restrict a single port, set the PortRange first and last fields to the same port number.

By default ports 22, 80 and 1024-65535 are allowed.

To create a workstation configuration with restricted port access to 80 and 8080 to 8100, run the following Google Cloud CLI command:

    gcloud beta workstations configs create CONFIG \
        --cluster=CLUSTER \
        --region=REGION \
        --project=PROJECT \
        --allowed-ports=first=80,last=80 \
        --allowed-ports=first=8080,last=8100

CORS preflight requests

By default, the workstations service makes sure that all requests to the workstation are authenticated with a cookie or authentication header.

Cross-Origin Resource Sharing (CORS) preflight requests don't include cookies or custom headers, and so are considered unauthenticated and blocked by the workstations service. Administrators can optionally allow unauthenticated CORS preflight requests through to the workstation, where it becomes the responsibility of the destination server in the workstation to validate the request.

To allow unauthenticated CORS preflight requests, run the following Google Cloud CLI command:

    gcloud beta workstations configs update CONFIG \
        --cluster=CLUSTER \
        --region=REGION \
        --project=PROJECT \
        --allow-unauthenticated-cors-preflight-requests