I'm trying to connect two Google Compute Engine (GCE) VMs that are in separate VPC networks using VPC Peering. The service on the target VM is running and should be accessible, but every time I attempt to use `curl` from the source VM, it's timing out completely.
I've set up a firewall rule and even applied a Network Tag, yet the issue remains. Here's a snapshot of my current setup:
- **Source VM (`catalog-vm`)**: In the `default` VPC, internal IP `10.160.0.10`. Status is good.
- **Target VM (`weather-vm`)**: In the `weather-vpc`, internal IP `11.0.0.2`, and the service is confirmed to be listening on tcp port 8080.
- **VPC Peering**: Between `default` and `weather-vpc`, status is active.
- **Service**: Listening on all interfaces on port 8080.
Here's what I've done so far:
1. I checked the Ingress firewall rule on `weather-vpc`, and it is well targeted to allow traffic from the specific IP of `catalog-vm`.
2. After adding the required tag and waiting for changes to take effect, I ran the `curl 11.0.0.2:8080` command from `catalog-vm`, only to see a timeout error.
I'm puzzled as to why this is happening. I suspect there could be issues with Egress/Ingrurgence rules or possibly conflicting firewall priorities. Any insights or steps I've forgotten to check would be really helpful! Thanks!
2 Answers
Right on! Just wanted to add: you really might need that explicit Egress rule since VPCs can be picky about returning paths. Think of it as making sure that your outgoing call from `catalog-vm` can find its way back home. An Egress rule in the `default` VPC will essentially let your connection request through. Don't forget to double-check the priorities too, as lower-priority rules can easily block what you want to allow! Good catch on that front.
You've done a great job laying out everything! It looks like you're super close to resolving this. The issue you're facing is likely due to the fact that each VPC network applies its own firewall rules separately. Your Ingress rule in the `weather-vpc` is solid, allowing access from `10.160.0.10`, but it seems that your `default` VPC doesn't have a corresponding Egress rule in place to permit outgoing connections to `11.0.0.2`.
Even if it seems like the default "Allow all egress" rule should cover this, many setups include a lower-priority "Deny all egress" rule for security. It's best to create a dedicated Egress rule in the `default` VPC. This new rule needs to target the specific IP of your `weather-vm` and allow tcp traffic on port 8080. This should help create the necessary path for the response traffic back to your source VM! Good luck!
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures