Trouble accessing internet from instance without external IP

508 views
Skip to first unread message

Eddie Li

unread,
Jan 7, 2019, 2:32:37 PM1/7/19
to gce-discussion
Hi, I would like to install some libraries from some instances that don't have external IP addresses on a VPC network. There is one instance on that network that does have an external IP address and therefore internet access which I'm trying to use as a IP forwarding gateway.

I am currently trying to verify that I have set this up correctly:

* (Firewall rule) UDP, TCP, ICMP has been allowed on the VPC network for all instances. Have verified this by confirming that each instance can ping each other, and can do the `nc -l <port>` and `nc -v <ip> <port>` shenanigans to check they can open up a tunnel over tcp.
* (VM creation, OS) The gateway instance has been set up on creation to allow IP forwarding. It has also been enabled at an OS level with `sudo sysctl -w net.ipv4.ip_forward=1`.
* (Route) A new route has been created to route destination IPs for an 'allow-internet-access' tag to specify that the next hop is the gateway instance. The non-gateway instances on the VPC network have had that tag applied.

However, I still can't access internet IPs, e.g. the command `sudo apt-get install default-jdk` fails with:

    E: Failed to fetch http://europe-west1.gce.archive.ubuntu.com/ubuntu/pool/main/libx/libxt/libxt-dev_1.1.5-0ubuntu1_amd64.deb  Unable to connect to europe-west1.gce.archive.ubuntu.com:http: [IP: 35.205.79.146 80]
    
Even though

1. the gateway instance can access it
2. the internal instance can access the gateway

I think it potentially may still have something to do with the routing at an OS level, as when I do an `ip route get` to an internet address, it gives me the default gateway (10.0.0.1), and I'm not sure if adding that new route should have changed this? (The gateway instance's IP is 10.0.0.5).

ip route get 35.195.141.26
35.195.141.26 via 10.0.0.1 dev ens4  src 10.0.0.3
    cache
    
Any pointers on how to debug further would be much appreciated!

Jason

unread,
Jan 7, 2019, 9:30:42 PM1/7/19
to gce-discussion
You will need to use Cloud NAT. This function is used specifically to allow instances connection over the internet for VM instances and GKE clusters that do not have an external IP address. I have attached an article on how Cloud NAT works and how to configure Cloud NAT to the bottom of this message [1] [2].

Eddie Li

unread,
Jan 10, 2019, 2:04:25 PM1/10/19
to gce-discussion
Thanks Jason for the useful links. I followed configuration for Configuring an instance-based NAT on these docs to get it working (I was missing the iptables step): https://cloud.google.com/vpc/docs/special-configurations as I have to do an ssh port forwarding on that instance as well, but will keep the Cloud NAT product in mind for the future.

Thanks,
Eddie
Reply all
Reply to author
Forward
0 new messages