Google Certified Associate Cloud Engineer 2020

Sign Up Free or Log In to participate!

Unable to ping frontend from cloud shell

I have done all of the firewall rules shown in the video but I still am unable to ping the frontend from cloud shell and I don’t understand why. Please let me know what I am missing.

This is for the Custom-Mode VPCs – Challenge Lab Solution – Firewall Rules.

I have the following rule setup that I thought would allow this connection:

Name: allow-all-to-frontend

Network: app-vpc

Priority: 1200

Direction: Ingress

Action on match: Allow

Targets: Service account:

frontend-sa@networking-30111.iam.gserviceaccount.com

Source filters: IP ranges:

0.0.0.0/0

Protocols and ports: icmp

Enforcement: Enabled



I have no deny rules for ingress. Why can’t I ping my frontend instance?

Thanks,

Justin

3 Answers

Are you trying to ping Internal IP or External IP?

If you have set-up everything correctly, you should be able to ping Internal IP!

Justin Fountain

Actually, I am able to ping the external ip for both of the frontend instances but not the internal ips. Is that correct? I was trying to ping the internal ips but I had not tried the external.

Lokesh Vij

If you are not able to ping Internal IP, Then your Firewall rules are not setup properly! Can you please share the output of this command "gcloud compute firewall-rules list"

Lokesh Vij

and also "gcloud compute instances list" – So that I know what are the Internal IPs associated with the instances

Justin Fountain

NAME NETWORK DIRECTION PRIORITY ALLOW DENY DISABLED allow-all-to-frontend app-vpc INGRESS 1200 icmp False allow-backend-to-backend-fwr app-vpc INGRESS 900 icmp False allow-backend-to-vpc-fwr app-vpc EGRESS 2900 icmp False allow-frontend-to-backend-fwr app-vpc INGRESS 800 icmp False block-all-backend-egress-fwr app-vpc EGRESS 3000 all False block-backend-to-all app-vpc INGRESS 1000 icmp False open-ssh-by-tag-fwr app-vpc INGRESS 500 tcp:22 False

Justin Fountain

NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS backend-ig-zr24 us-west1-a f1-micro 192.168.0.10 35.233.205.143 RUNNING frontend-ig-2-jm99 us-west1-a f1-micro 192.168.0.8 104.198.96.194 RUNNING backend-ig-zz35 us-west1-c f1-micro 192.168.0.9 34.105.74.22 RUNNING frontend-ig-2-t8jl us-west1-c f1-micro 192.168.0.7 34.82.31.90 RUNNING

YI

Out of curiosity, what is the difference between ping-ing internal IP and external IP? At first, I thought the firewall rule (allow icmp on ingress) will allow us to ping both internal and external IPs but when I tried it out it didn’t work. Could you please shed some light on this? Thanks!

NAME                         ZONE            MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP    STATUS

backend-ig-zr24      us-west1-a    f1-micro                                       192.168.0.10   35.233.205.143 RUNNING

frontend-ig-2-jm99 us-west1-a    f1-micro                                       192.168.0.8     104.198.96.194  RUNNING

backend-ig-zz35     us-west1-c    f1-micro                                        192.168.0.9     34.105.74.22     RUNNING

frontend-ig-2-t8jl    us-west1-c    f1-micro                                        192.168.0.7     34.82.31.90       RUNNING

NAME                                             NETWORK DIRECTION PRIORITY ALLOW DENY DISABLED

allow-all-to-frontend                    app-vpc     INGRESS     1200         icmp                 False

allow-backend-to-backend-fwr app-vpc      INGRESS     900           icmp                 False

allow-backend-to-vpc-fwr          app-vpc     EGRESS       2900         icmp                 False

allow-frontend-to-backend-fwr  app-vpc     INGRESS     800           icmp                  False

block-all-backend-egress-fwr    app-vpc     EGRESS      3000                       all         False

block-backend-to-all                   app-vpc      INGRESS    1000                       icmp     False

open-ssh-by-tag-fwr                   app-vpc      INGRESS    500            tcp:22               False

Justin Fountain

I tried to format it so that you could see it better but the forum does not accept the spacing.

There are too many FW rules!

Here is how I would create the VPC/Instances/FW rule:

1) Create VPC with two subnets

#creating a vpc    
gcloud compute networks create app-vpc --subnet-mode=custom --mtu=1460 --bgp-routing-mode=regional    
#adding two subnets    
# frontent-subnet | 10.1.0.0/20 | us-east1    
# backend-subnet | 10.2.0.0/20 | us-east4    
gcloud compute networks subnets create frontend-subnet --range=10.1.0.0/20 --network=app-vpc --region=us-east1    
gcloud compute networks subnets create backend-subnet --range=10.2.0.0/20 --network=app-vpc --region=us-east4

  2) Create Frontend and backend VM instances

gcloud compute instances create frontend-vm-01   
--zone=us-east1-b   
--machine-type=f1-micro   
--subnet=frontend-subnet   
--tags=front-end  
gcloud compute instances create frontend-vm-02   
--zone=us-east1-b   
--machine-type=f1-micro   
--subnet=frontend-subnet   
--tags=front-end  
gcloud compute instances create backend-vm-01   
--zone=us-east4-c   
--machine-type=f1-micro   
--subnet=backend-subnet   
--tags=back-end  
gcloud compute instances create backend-vm-02   
--zone=us-east4-c   
--machine-type=f1-micro   
--subnet=backend-subnet   
--tags=back-end

Once created, here is how IPs are allocated on my test network

cloud_user_p_74c2bf5a@cloudshell:~ (playground-s-11-32df36da)$ gcloud compute instances list  
NAME            ZONE        MACHINE_TYPE  PREEMPTIBLE  INTERNAL_IP  EXTERNAL_IP    STATUS  
frontend-vm-01  us-east1-b  f1-micro                   10.1.0.2     34.73.96.209   RUNNING  
frontend-vm-02  us-east1-b  f1-micro                   10.1.0.3     34.74.252.24   RUNNING  
backend-vm-01   us-east4-c  f1-micro                   10.2.0.2     35.221.60.165  RUNNING  
backend-vm-02   us-east4-c  f1-micro                   10.2.0.3     34.86.157.147  RUNNING

3) Create FW rules

Firstly, create allow SSH rule for all VMs

# allow SSH on both backend and frontend VM    
gcloud compute firewall-rules create allow-ssh-fronent-backend --direction=INGRESS --priority=900 --network=app-vpc --action=ALLOW --rules=tcp:22 --source-ranges=0.0.0.0/0

Tested SSH using following commands

gcloud compute ssh --zone "us-east1-b" "frontend-vm-01"  
gcloud compute ssh --zone "us-east1-b" "frontend-vm-02"   
gcloud compute ssh --zone "us-east4-c" "backend-vm-01"   
gcloud compute ssh --zone "us-east4-c" "backend-vm-02"

At this point you can SSH but cannot ping any VMs. Next, let’s create a firewall rule where all frontend VMs can ping each other

gcloud compute firewall-rules create ping-frontend-to-frontend   
--direction=INGRESS   
--priority=1000   
--network=app-vpc   
--action=ALLOW   
--rules=icmp   
--source-tags=front-end   
--target-tags=front-end

Similarly, create firewall rule so that all backend VMs can ping each other

gcloud compute firewall-rules create ping-backend-to-backend   
--direction=INGRESS   
--priority=1000   
--network=app-vpc   
--action=ALLOW   
--rules=icmp   
--source-tags=back-end   
--target-tags=back-end

Next, a tricky rule, where I want only my frontend VMs to ping backend VMs not other way round. Here is how you can create a FW rule.

gcloud compute firewall-rules create ping-frontend-to-backend   
--direction=INGRESS   
--priority=1000   
--network=app-vpc   
--action=ALLOW   
--rules=icmp   
--source-tags=front-end   
--target-tags=back-end

You will now be able to ping from any frontend vm to any backend vm, not other way round. Also, if you see for all the ping FW rules, I have kept the priority as 1000. So you do not need to change any priority, unless situation demands.

Hope this helps!

Justin Fountain

This is helpful. Thanks for all your help Lokesh!

Lokesh Vij

Thanks Justin. I am glad that I was able to help!

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?