I have deployed a flask application on a google app engine VM instance. Everything was going fine, I was editing my code locally, then deploying and debugging by looking at the logs, but after my last deployment, I am seeing the following error when I try to open the app in a browser:
Error: Server Error
The server encountered a temporary error and could not complete your request.
Please try again in 30 seconds.
Also, I am now unable to ssh into my App engine VM instance. Whenever I try to ssh, I get the following error:
port 22: Connection refused
(I was able to ssh into this VM earlier).
Now, I have a VPC network, which has the default firewall rules for allowing ssh ports. There is a section in the cloud platform dashboard where I can create firewall rules for App engine, but it is only for allowing IP addresses, and not ports (regardless, I have added my IP address in this firewall rule).
I also get the same error when I try to SSH through the web cloud platform dashboard.
Most of the related pages on StackOverflow I found about this error are
people not being able to SSH into compute engine VMs. I'm stuck and have no idea what to do to be able to SSH into my App Engine VM.
I am also not seeing any logs when I use the "gcloud app logs read" command.
Edit: Following are my App Engine firewall rules :
Following are the firewall rules for my VPC network:
Sounds like a firewall problem if you can't ssh in from the Cloud Console. Can you post your firewall rules?
Related
I deployed a Django app to Google app engine flexible env, and it uses a Postgresql db from google cloud sql.
The website could be open, but if I refresh the page at a very short interval, then the website will fail with sometime error saying
Exception Value:
could not connect to server: No such file or directory
Is the server running locally and accepting
connections on Unix domain socket "/cloudsql/[my-db-connection-name]/.s.PGSQL.5432"?
I wonder why could it fail? Does it mean Google app engine or cloud sql sucks? Should I switch to Heroku or AWS?
It looks like you are not connecting to your Cloud SQL Instance correctly. Make sure you are connecting from App Engine flexible environment to Cloud SQL following the instructions from this link [1].
If your instance has public IP address use this link [2] or if your instance has private IP address use this link [3] to configure connectivity for your Cloud SQL instance.
[1] https://cloud.google.com/sql/docs/postgres/connect-app-engine-flexible
[2] https://cloud.google.com/sql/docs/postgres/configure-ip
[3] https://cloud.google.com/sql/docs/postgres/configure-private-ip
I have the following use case:
Application is deployed on App Engine Flex environment.
Application fetches data from an FTP server on API request.
FTP server can only be accessed through a custom VPN.
Can I access the FTP server from an App Engine Flex environment? If so, what would I need?
Apologies if this is not clear, I am not a network/devOps person.
As a solution, you can connect your on-premises network and application deployed to App Engine Flex via Google Cloud VPN:
Cloud VPN securely connects your peer network to your Google
Cloud (GCP) Virtual Private Cloud (VPC) network through an
IPsec VPN connection. Traffic traveling between the two
networks is encrypted by one VPN gateway, then decrypted by the other
VPN gateway. This protects your data as it travels over the internet.
You can also connect two instances of Cloud VPN to each other.
App Engine Flexible Environment is based on Google Compute Engine and consequently can connect to your remote network via Cloud VPNs. As described in the documentation Configuring your App with app.yaml, you can specify network settings in your app.yaml configuration file:
... app in App Engine is configured using an app.yaml file, that
contains CPU, memory, network and disk resources, scaling, and other
general settings including environment variables.
I have set up 2 projects in my Google Cloud console. The following are the two projects that I have set up in my console.
1. Cloud SQL + App Engine
2. App Engine (New)
So the idea is App Engine (1) is running the same database as App Engine (2). I have already set up the IAM Permission Page and IAM Admin and Project Page.
I have given both projects as Project Editor role too, but still my (2) still can't connect to my (1) database.
Any help please?
Granting access to an application does not automatically enable a database user account to connect to the instance.
You may connect through a proxy, in which case you should follow these steps:
Enable the API
Install the proxy client on your local machine
Determine how you will authenticate the proxy
If required by your authentication method, create a service account
Determine how you will specify your instances for the proxy
Start the proxy
Update your application to connect to Cloud SQL using the proxy
You can find related details on the Connecting to Cloud SQL from External Applications.
This documents provides steps that cover configuring access for IP connections as well.
If you connect from within the app engine environment, you may have a look at Connecting from App Engine.
I have a dotnet core 2.0 application running in Google App Engine Flexible Environment. Within the same Google project I have a Cloud SQL - MySQL database. On the Cloud SQL Instance details page, under the Authorizations tab, it states
Apps in this project: All authorized.
However, I cannot access the database from my application unless I add the 0.0.0.0/0 route to the Authorized networks section.
What can I do to give my application db access without opening my database to the world?
Update 2018-05-21 from Jeffery Rennie (accepted answer)
App Engine now supports connecting to a Cloud SQL instance using a port number instead of a unix domain socket. So now, you can add something like this to your app.yaml:
beta_settings:
cloud_sql_instances: "your-project-id:us-central1:instance-name=tcp:5432"
And specify Host=cloudsql in your connection string in your appsettings.json:
"ConnectionString": "Uid=aspnetuser;Pwd=;Host=cloudsql;Database=visitors"
In the sample above, the port is 5432, which is the default port for a PostgreSQL database. For a MySQL database, use port 3306.
A full example with instructions for deploying to App Engine can be found here:
https://github.com/GoogleCloudPlatform/dotnet-docs-samples/tree/master/appengine/flexible/CloudSql
The ideal solution is to use a unix domain socket to connect from your app engine instance to Cloud SQL. That's how other programming languages like Python and PHP do it. Unfortunately, the MySQL connector does not work with domain sockets. I see no reason why it can't, but it doesn't. I hope they fix that issue soon.
As described in https://cloud.google.com/appengine/kb/#static-ip,
Note that using static IP address filtering is not considered a safe
and effective means of protection. For example, an attacker could set
up a malicious App Engine app which could share the same IP address
range as your application. Instead, we suggest that you take a defense
in depth approach using OAuth and Certs.
If certificates are not sufficient to protect your application, then the only remaining option I see today is to build a custom runtime that runs the Cloud SQL Proxy. The proxy can forward a local ip port number to a unix domain socket. If you have built a docker image or two, then it's not too bad.
I will update this answer as the situation improves.
Update 2018-05-21
App Engine now supports connecting to a Cloud SQL instance using a port number instead of a unix domain socket. So now, you can add something like this to your app.yaml:
beta_settings:
cloud_sql_instances: "your-project-id:us-central1:instance-name=tcp:5432"
And specify Host=cloudsql in your connection string in your appsettings.json:
"ConnectionString": "Uid=aspnetuser;Pwd=;Host=cloudsql;Database=visitors"
In the sample above, the port is 5432, which is the default port for a PostgreSQL database. For a MySQL database, use port 3306.
A full example with instructions for deploying to App Engine can be found here:
https://github.com/GoogleCloudPlatform/dotnet-docs-samples/tree/master/appengine/flexible/CloudSql
While you are not wrong that "apps in this this project: All authorized" seems to suggest you can out-of-the-box just use your App Engine app with Cloud SQL, but there are limitations.
First of all, your Cloud SQL needs to be a 2nd generation instance, and secondly, there are specific instructions that's dependent on the language you use and the App Engine type (standard or flex).
If your situation fit all the requirements, it should work.
For your specific use case, you need the .Net instructions, it does say you need to add a network with 0.0.0.0/0 access and an user account. The user authentication + SSL should provide the security you need.
I have a rails application deployed on google app engine. I visit myapp.com/resque with a local redis server running and it works. When doing this in production, I cant seem to connect. I have a redis vm instance deployed on google compute engine and I cannot redis-cli -h 123.123.123:6379 into it on any of the servers. It only returns Could not connect to Redis at 11.111.11.1:6379: Connection refused. I've tried using both the internal and external IPs and no luck.
I had the same issue.
It was due to bind in redis conf. By default redis was binded to only 127.0.0.1
It's in redis.conf file
bind 127.0.0.1
As mentioned in redis security link its there so that only trusted clients are allowed to connect and by default its only localhost