I tried using these guides:
https://cloud.google.com/dns/quickstart
https://cloud.google.com/dns/migrating
When I ping my domain, I get a response from my compute-engine external IP address, but my WebApp is not loading.
Am I missing something? I get ERR_CONNECTION_REFUSED
There is not enough information to definitely say what the issue is, but here are some suggestions to troubleshoot.
Have your registrar's name server records been updated?
Make sure the following consistently returns Google's name servers for your zone
$ dig +short NS example.com
Have Google's name server propagated the change?
List your Google name servers -
$ gcloud dns managed-zones describe examplezonename
Verify they have propagated -
$ dig example.com #your_zone_nameserver
Are your A and CNAME records set correctly?
Next you should verify that the DNS reply returns the correct A and CNAME entries.
$ dig example.com A
$ dig example.com CNAME
Have you configured your IP and Firewall settings correctly?
You can follow the troubleshooting guide here or update your question with more details.
It appears that your web server may not be set up correctly and there does not seem to be any process listening on either port 80 or 443.
$ nmap queguia.com
Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-03 12:16 PDT
Nmap scan report for queguia.com (35.184.29.62)
Host is up (0.15s latency).
rDNS record for 35.184.29.62: 62.29.184.35.bc.googleusercontent.com
Not shown: 996 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp closed http
443/tcp closed https
3389/tcp closed ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 10.21 seconds
Caveats
Please also keep in mind that DNS entries are cached and it can take some time for your changes to take effect.
Pings of your external IP are most likely answered by a load balancer and not your instance specifically.
Google Enterprise Support:
All App Engine services run by default (domain.appspot.com). In order to map your service on your own domain name, please read the following article https://cloud.google.com/appengine/docs/standard/python/console/using-custom-domains-and-ssl
Related
I have a question regarding IP Address in Google App Engine. I know there is no way to have a static IP-address, but my client have setup a Custom Domain with some IP-address showing up. My problem is:
There is an endpoint(API) that they are connected on, the problem is that the destination requires IP-address and PORT to open in their firewall-policy. Since there is no "Static IP" on Google App Engine, can i use those IP-address showing under "data" in Google App Engine in Custom Domains?
Because when i enter the domain in my web-browser i see the same IP listed in Custom Domain. Can i send over those IP-addresses than the Pool of IP by running: nslookup -q=TXT _cloud-netblocks.googleusercontent.com 8.8.8.8Because those domain listed in nslookup is not shown in the network (remote address)
Thanks!
The result of running nslookup -q=TXT _cloud-netblocks.googleusercontent.com 8.8.8.8 is not static. Google may introduce new _cloud-netblocks entries at any time.
In the Google Cloud documentation section Static IP Addresses and App Engine apps is the recommended approach to retrieve the IPs. You will have to run:
nslookup -q=TXT _cloud-netblocks.googleusercontent.com 8.8.8.8
And then, from the response , you'll have to query each of the _cloud-netblocksN listed. Let take this query response as an example:
Non-authoritative answer:
_cloud-netblocks.googleusercontent.com text = "v=spf1 include:_cloud-netblocks1.googleusercontent.com include:_cloud-netblocks2.googleusercontent.com include:_cloud-netblocks3.googleusercontent.com ?all
There's 3 _cloud-netblocksN listed, so you'll have to query them:
nslookup -q=TXT _cloud-netblocks1.googleusercontent.com 8.8.8.8
nslookup -q=TXT _cloud-netblocks2.googleusercontent.com 8.8.8.8
nslookup -q=TXT _cloud-netblocks3.googleusercontent.com 8.8.8.8
The SPF records returned from the query of each of those above entries will be IP ranges that you can use for App Engine.
The static IP address for AppEngine is now* possible using serverless NEG with Load Balancer.
See more on https://stackoverflow.com/a/62660953/4185100
Using this method, it is also possible to configure multiple domains/sub-domains with HTTPS load balancer which points to internal serverless resources (different AppEngine services, Cloud functions, etc)
I am working on an angular app using the angular cli to set things up. Running the ng serve command spawns a server at this address <my_ec2_host_name>:4200. When I try to access the page on the browser it doesn't work (connection timed out error). I believe this is because of security reasons so I added the following rule to my security groups for the ec2 instance:
Port 4200 should now be accessible but I still can't get the page to load. Can someone think of how to get this to work?
Start angular with below command.
ng serve --host=0.0.0.0 --disable-host-check
it will disable host check and allow to access with IP
You can set up the host option like this:
ng serve -host 0.0.0.0
The steps you are doing are correct for opening a port via Security Groups in the EC2 console. Make sure you are modifying the correct security group, and make sure that your changes have been saved.
Your container may have additional firewalls in place, so you will want to check the OS documentation. For Example, RHEL uses iptables as a further security measure: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-IPTables.html.
That looks correct. Are you sure that your server is running and listening for connections?
You should ssh to that server and verify that the page can be loaded locally. Eg:
curl http://<YOUR HOST IP ADDRESS>:4200
eg: curl http://54.164.10.123:4200
You should be careful to use the public ip address (eg: IPv4 Public IP when you're in the EC2 console). I've run into problems in the past where I've got a server listening on one IP address (often localhost) and not the public ip address.
Also maybe a problem: Is your host inside a VPC of some sort?
I have installed my web application on 2 Windows based VMs of GCE.My application runs on 8080 port.
Steps followed for Netwrok Load Balancer :
1) I created health checks for 8080 port.
2) Added both my VMs and helathchecks to target pool.
3) In forwarding rule I created a rule for 8080 port for that particular Target Pool.
After this go to Target Pools and check the health of the VMs
Here a red symbol is shown against both the instances and message shown as "instance is unhealthy for ".
I have added port 8080 in Firewall rules.
If any one can help, if I am doing anything wrong or there is some other way to setup the Load Balancer.
I believe this issue is not related to the fact that you are listening in port 8080. Health check will pass as long as your instances are able to communicate with the Metaserver (169.254.169.254 [1]) and response with a valid HTTP page.
You must be sure you have allowed communication on port 8080 on the Google Firewall and on your Windows firewall instance [2]. As a debugging you can try to ping the Metaserver and capturing IP packages to confirm if there is a 3 way handshake between the Metaserver and your GCE instance. Additionally you might want to try to do the setup with the same instances on port 80 to confirm if it is actually related to the port.
[1] https://cloud.google.com/compute/docs/metadata
[2] https://cloud.google.com/compute/docs/networking
I'm using the Managed VM functionality to run a WebSocket server that I'd like to expose to the Internet on any port (preferably port 80) through a URL like: mvm.mydomain.com
I'm not having much success yet.
Here are the relevant parts of various files I'm using to accomplish this:
Dockerfile:
EXPOSE 8080 8081
At the end of the Dockerfile, a Python app is started: it responds to health checks on port 8080 (I can verify this works) and responds to WebSocket requests on port 8081.
app.yaml:
module: mvm
version: 1
runtime: custom
vm: true
api_version: 1
network:
forwarded_ports: ["8081"]
I deploy this app to the cloud using:
$ gcloud preview app deploy .
In the cloud console, I make sure TCP ports 8080 and 8081 are accepted for incoming traffic. I also observe the IP address assigned to the GCE instance (mvm:1) is: x.y.z.z.
$ curl http://x.y.z.z:8080/_ah/health
$ curl http://mvm.my-app-id.appspot.com/_ah/health
Repond both with 200 OK.
Connecting the WebSocket server using some JavaScript works as well:
new WebSocket('ws://x.y.z.z:8081');
So far so good. Except this didn't work (timeout):
new WebSocket('ws://mvm.my-app-id.appspot.com:8081');
I'd like to know why the above WebSocket command doesn't work.
Perhaps something I don't understand in the GAE/GCE port forwarding interaction?
If this could be made to work somehow, I envision the following would be the last steps to finish it.
dispatch.yaml:
dispatch:
# Send all websocket traffic to the ManagedVM module.
- url: "mvm.mydomain.com/*"
module: mvm
I also setup the GAE custom domain CNAME at mvm.mydomain.com.
Connecting the WebSocket server using JavaScript should then work like:
new WebSocket('ws://mvm.mydomain.com:8081');
It may very well be that port forwarding from appspot.com isn't performed, given that prior to the (relatively recent) release of managed VMs, the only traffic that went to appspot.com was on port 80 or 443. I'd suggest using the IP-of-instance method you found to work.
If you don't find that fully satisfying, you should go to the public issue tracker for app engine and post a feature request to have the appspot.com router detect whether a request is heading for a module that corresponds to a managed VM and attempt the port forwarding in that case.
The thing is, putting the raw port on the end of the domain like that means that your browser will use the port you specified as a connection parameter to appspot.com, not as a query param, so appspot.com will have to listen on all ports and redirect if valid. This could be insecure/inefficient, so maybe the port number could be a query param or part of the domain string, similar to how version and module can be specified...
At any rate, given the way in which ports work, I would highly doubt, if your very simple example caused a fail, that app engine's appspot.com domain was even set up to handle port forwarding to managed VM containers at all at present.
I'm using OpenVZ Web Panel to manage my VPS servers and when I scanned my server with nmap I saw:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.0p1 Debian 4 (protocol 2.0)
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
3000/tcp open http **WEBrick httpd 1.3.1 (Ruby 1.8.7 (2012-02-08))**
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel
How do I hide the **WEBrick httpd 1.3.1 (Ruby 1.8.7 (2012-02-08))**?
Late to the party as I am, I encountered this question so I might as well answer it. I don't find your requirements entirely clear, so I'll give a conditional answer:
If you don't want WEBrick to be visible at all, remove or comment its virtual host entry
If you don't want WEBrick to be running on :3000, you have two choices:
Change the virtual host entry so that it listens on :80 instead
Put nginx in front of it, proxying somedomain:3000 to 127.0.0.1:80 and change WEBrick's virtual host entry so that it listens on 127.0.0.1:80 (you will need a domain name pointed at this machine)
If you want WEBrick to be running but only accessible locally, change its virtual host entry so that it listens on 127.0.0.1:3000
You cannot have WEBrick running and publicly accessible without nmap being able to discover it, because nmap discovers it the same way any client discovers it: by attempting to establish a connection with the indicated IP address and port.