Networking 如何允许GCE中的私有实例之间进行通信
以下是用例:Networking 如何允许GCE中的私有实例之间进行通信,networking,google-cloud-platform,firewall,google-vpc,private-network,Networking,Google Cloud Platform,Firewall,Google Vpc,Private Network,以下是用例: 不允许使用外部IP GCP项目存在自定义VPC 实例A有一个正在运行的应用程序 实例B被视为客户端 SQL实例C也在VPC上,并且只有内部IP 目标是让B向A发送HTTP请求,以便A向SQL实例C发送查询 在这种情况下,需要采取哪些联网步骤?(只有防火墙问题,因为所有实例都在同一网络上?如果是,允许使用哪些防火墙规则?) 如果GCP中的其他服务器在同一VPC上,为什么我们不能ping它们 多谢各位 VPS防火墙设置: [ { "allowed": [
- 不允许使用外部IP
- GCP项目存在自定义VPC
- 实例A有一个正在运行的应用程序
- 实例B被视为客户端
- SQL实例C也在VPC上,并且只有内部IP
[
{
"allowed": [
{
"IPProtocol": "tcp",
"ports": [
"22"
]
},
{
"IPProtocol": "tcp",
"ports": [
"3389"
]
}
],
"description": "Allow incoming traffic on IAP",
"direction": "INGRESS",
"disabled": false,
"kind": "compute#firewall",
"logConfig": {
"enable": false
},
"name": "fw-allow-iap",
"network": "https://www.googleapis.com/compute/v1/projects//global/networks/NETWORK_HERE",
"priority": 1000,
"selfLink": "https://www.googleapis.com/compute/v1/projects//global/firewalls/fw-allow-iap",
"sourceRanges": [
"35.235.240.0/20"
]
},
{
"allowed": [
{
"IPProtocol": "tcp",
"ports": [
"80"
]
}
],
"description": "",
"direction": "INGRESS",
"disabled": false,
"kind": "compute#firewall",
"logConfig": {
"enable": false
},
"name": "NETWORK_HERE-allow-http",
"network": "https://www.googleapis.com/compute/v1/projects//global/networks/NETWORK_HERE",
"priority": 1000,
"selfLink": "https://www.googleapis.com/compute/v1/projects//global/firewalls/NETWORK_HERE-allow-http",
"sourceRanges": [
"0.0.0.0/0"
],
"targetTags": [
"http-server"
]
},
{
"allowed": [
{
"IPProtocol": "tcp",
"ports": [
"443"
]
}
],
"direction": "INGRESS",
"disabled": false,
"kind": "compute#firewall",
"logConfig": {
"enable": false
},
"name": "NETWORK_HERE-allow-https",
"network": "https://www.googleapis.com/compute/v1/projects//global/networks/NETWORK_HERE",
"priority": 1000,
"selfLink": "https://www.googleapis.com/compute/v1/projects//global/firewalls/NETWORK_HERE-allow-https",
"sourceRanges": [
"0.0.0.0/0"
],
"targetTags": [
"https-server"
]
}
]
实例B设置:(实例A也有相同的设置)
}专有网络防火墙规则控制专有网络流量。默认情况下,如果操作系统内部防火墙允许,同一专有网络中的两台机器可以相互ping。用详细信息编辑您的问题。你的问题在配置细节上太模糊了。@JohnHanley所有的机器都在专有网络上,这不足以让你知道吗?试图从B ping机器A,但未成功。。我认为应该有一个防火墙规则吗?请阅读此链接的这一部分:
不要发布代码、数据、错误消息等的图像。
搜索引擎在读取图像时有困难。我甚至看不懂你的图片。@JohnHanley doneRegarding-ping:我看不到允许ICMP通信的规则。默认情况下,使用此规则创建专有网络(默认允许icmp
)。有人把它删除了。在VPC内创建允许ICMP的规则。接下来,确定是否有内部操作系统防火墙,以及是否允许ICMP。
{
"canIpForward": false,
"confidentialInstanceConfig": {
"enableConfidentialCompute": false
},
"cpuPlatform": "Intel Haswell",
"deletionProtection": false,
"description": "",
"disks": [
{
"autoDelete": true,
"boot": true,
"deviceName": "instance-1",
"diskSizeGb": "10",
"guestOsFeatures": [
{
"type": "UEFI_COMPATIBLE"
},
{
"type": "VIRTIO_SCSI_MULTIQUEUE"
}
],
"index": 0,
"interface": "SCSI",
"kind": "compute#attachedDisk",
"licenses": [
"projects/debian-cloud/global/licenses/debian-10-buster"
],
"mode": "READ_WRITE",
"source": "projects/PROJECT_ID/zones/europe-west1-b/disks/instance-1",
"type": "PERSISTENT"
}
],
"displayDevice": {
"enableDisplay": false
},
"kind": "compute#instance",
"machineType": "projects/PROJECT_ID/zones/europe-west1-b/machineTypes/e2-micro",
"metadata": {
"fingerprint": "S0UuYvDZ4Tg=",
"kind": "compute#metadata"
},
"name": "instance-1",
"networkInterfaces": [
{
"kind": "compute#networkInterface",
"name": "nic0",
"network": "projects/PROJECT_ID/global/networks/NETWORK_HERE",
"networkIP": "10.0.1.4",
"subnetwork": "projects/PROJECT_ID/regions/europe-west1/subnetworks/SUBNET_HERE"
}
],
"reservationAffinity": {
"consumeReservationType": "ANY_RESERVATION"
},
"scheduling": {
"automaticRestart": true,
"onHostMaintenance": "MIGRATE",
"preemptible": false
},
"selfLink": "projects/PROJECT_ID/zones/europe-west1-b/instances/instance-1",
"serviceAccounts": [
{
"email": "PROJECT_ID-compute@developer.gserviceaccount.com",
"scopes": [
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
"https://www.googleapis.com/auth/servicecontrol",
"https://www.googleapis.com/auth/service.management.readonly",
"https://www.googleapis.com/auth/trace.append"
]
}
],
"shieldedInstanceConfig": {
"enableIntegrityMonitoring": true,
"enableSecureBoot": false,
"enableVtpm": true
},
"shieldedInstanceIntegrityPolicy": {
"updateAutoLearnPolicy": true
},
"startRestricted": false,
"status": "RUNNING",
"tags": {
"items": [
"http-server",
"https-server"
]
},
"zone": "projects/PROJECT_ID/zones/europe-west1-b"