我有2谷歌计算引擎实例,我想在两个实例中打开端口9090。我认为我们需要添加一些防火墙规则。

你能告诉我该怎么做吗?


当前回答

创建防火墙规则

如果您不熟悉GCP中的防火墙规则,请查看防火墙规则组件[1]。防火墙规则是在网络级别定义的,并且只应用于创建它们的网络;但是,为每个名称选择的名称对于项目必须是唯一的。

对于云控制台:

Go to the Firewall rules page in the Google Cloud Platform Console. Click Create firewall rule. Enter a Name for the firewall rule. This name must be unique for the project. Specify the Network where the firewall rule will be implemented. Specify the Priority of the rule. The lower the number, the higher the priority. For the Direction of traffic, choose ingress or egress. For the Action on match, choose allow or deny. Specify the Targets of the rule. If you want the rule to apply to all instances in the network, choose All instances in the network. If you want the rule to apply to select instances by network (target) tags, choose Specified target tags, then type the tags to which the rule should apply into the Target tags field. If you want the rule to apply to select instances by associated service account, choose Specified service account, indicate whether the service account is in the current project or another one under Service account scope, and choose or type the service account name in the Target service account field. For an ingress rule, specify the Source filter: Choose IP ranges and type the CIDR blocks into the Source IP ranges field to define the source for incoming traffic by IP address ranges. Use 0.0.0.0/0 for a source from any network. Choose Subnets then mark the ones you need from the Subnets pop-up button to define the source for incoming traffic by subnet name. To limit source by network tag, choose Source tags, then type the network tags in to the Source tags field. For the limit on the number of source tags, see VPC Quotas and Limits. Filtering by source tag is only available if the target is not specified by service account. For more information, see filtering by service account vs.network tag. To limit source by service account, choose Service account, indicate whether the service account is in the current project or another one under Service account scope, and choose or type the service account name in the Source service account field. Filtering by source service account is only available if the target is not specified by network tag. For more information, see filtering by service account vs. network tag. Specify a Second source filter if desired. Secondary source filters cannot use the same filter criteria as the primary one. For an egress rule, specify the Destination filter: Choose IP ranges and type the CIDR blocks into the Destination IP ranges field to define the destination for outgoing traffic by IP address ranges. Use 0.0.0.0/0 to mean everywhere. Choose Subnets then mark the ones you need from the Subnets pop-up button to define the destination for outgoing traffic by subnet name. Define the Protocols and ports to which the rule will apply: Select Allow all or Deny all, depending on the action, to have the rule apply to all protocols and ports. Define specific protocols and ports: Select tcp to include the TCP protocol and ports. Enter all or a comma delimited list of ports, such as 20-22, 80, 8080. Select udp to include the UDP protocol and ports. Enter all or a comma delimited list of ports, such as 67-69, 123. Select Other protocols to include protocols such as icmp or sctp. (Optional) You can create the firewall rule but not enforce it by setting its enforcement state to disabled. Click Disable rule, then select Disabled. (Optional) You can enable firewall rules logging: Click Logs > On. Click Turn on. Click Create.

链接: [1] https://cloud.google.com/vpc/docs/firewalls firewall_rule_components

其他回答

你需要:

Go to cloud.google.com Go to my Console Choose your Project Choose Networking > VPC network Choose "Firewall" Choose "Create Firewall Rule" To apply the rule to select VM instances, select Targets > "Specified target tags", and enter into "Target tags" the name of the tag. This tag will be used to apply the new firewall rule onto whichever instance you'd like. Then, make sure the instances have the network tag applied. Set Source IP ranges to allow traffic from all IPs: 0.0.0.0/0 To allow incoming TCP connections to port 9090, in "Protocols and Ports", check “tcp” and enter 9090 Click Create (or click “Equivalent Command Line” to show the gcloud command to create the same rule)

请参考文档自定义您的规则。

您需要添加一个防火墙规则,以便向您的实例开放对tcp:9090的入站访问。如果您有两个以上的实例,并且您只想向这两个实例打开9090,那么您将希望确保这两个实例共享一个标记。您可以通过控制台或命令行添加或更新标签;如果需要,我建议使用GUI,因为它使用setinstancetags处理读取-修改-写入循环。

如果你想对所有实例开放端口9090,你可以创建这样的防火墙规则:

gcutil addfirewall allow-9090 --allowed=tcp:9090

这将适用于您的所有实例。

如果你只想打开端口9090到服务于你的应用程序的两个实例,确保它们有一个像my-app这样的标签,然后添加一个防火墙,如下所示:

gcutil addfirewall my-app-9090 --allowed=tcp:9090 --target_tags=my-app

您可以在这里阅读更多关于在GCE中创建和管理防火墙的信息。

创建防火墙规则

如果您不熟悉GCP中的防火墙规则,请查看防火墙规则组件[1]。防火墙规则是在网络级别定义的,并且只应用于创建它们的网络;但是,为每个名称选择的名称对于项目必须是唯一的。

对于云控制台:

Go to the Firewall rules page in the Google Cloud Platform Console. Click Create firewall rule. Enter a Name for the firewall rule. This name must be unique for the project. Specify the Network where the firewall rule will be implemented. Specify the Priority of the rule. The lower the number, the higher the priority. For the Direction of traffic, choose ingress or egress. For the Action on match, choose allow or deny. Specify the Targets of the rule. If you want the rule to apply to all instances in the network, choose All instances in the network. If you want the rule to apply to select instances by network (target) tags, choose Specified target tags, then type the tags to which the rule should apply into the Target tags field. If you want the rule to apply to select instances by associated service account, choose Specified service account, indicate whether the service account is in the current project or another one under Service account scope, and choose or type the service account name in the Target service account field. For an ingress rule, specify the Source filter: Choose IP ranges and type the CIDR blocks into the Source IP ranges field to define the source for incoming traffic by IP address ranges. Use 0.0.0.0/0 for a source from any network. Choose Subnets then mark the ones you need from the Subnets pop-up button to define the source for incoming traffic by subnet name. To limit source by network tag, choose Source tags, then type the network tags in to the Source tags field. For the limit on the number of source tags, see VPC Quotas and Limits. Filtering by source tag is only available if the target is not specified by service account. For more information, see filtering by service account vs.network tag. To limit source by service account, choose Service account, indicate whether the service account is in the current project or another one under Service account scope, and choose or type the service account name in the Source service account field. Filtering by source service account is only available if the target is not specified by network tag. For more information, see filtering by service account vs. network tag. Specify a Second source filter if desired. Secondary source filters cannot use the same filter criteria as the primary one. For an egress rule, specify the Destination filter: Choose IP ranges and type the CIDR blocks into the Destination IP ranges field to define the destination for outgoing traffic by IP address ranges. Use 0.0.0.0/0 to mean everywhere. Choose Subnets then mark the ones you need from the Subnets pop-up button to define the destination for outgoing traffic by subnet name. Define the Protocols and ports to which the rule will apply: Select Allow all or Deny all, depending on the action, to have the rule apply to all protocols and ports. Define specific protocols and ports: Select tcp to include the TCP protocol and ports. Enter all or a comma delimited list of ports, such as 20-22, 80, 8080. Select udp to include the UDP protocol and ports. Enter all or a comma delimited list of ports, such as 67-69, 123. Select Other protocols to include protocols such as icmp or sctp. (Optional) You can create the firewall rule but not enforce it by setting its enforcement state to disabled. Click Disable rule, then select Disabled. (Optional) You can enable firewall rules logging: Click Logs > On. Click Turn on. Click Create.

链接: [1] https://cloud.google.com/vpc/docs/firewalls firewall_rule_components

使用此命令打开端口

gcloud compute --project=<project_name> firewall-rules create firewall-rules --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:<port number> --source-ranges=0.0.0.0/0 

这个问题很老了,Carlos Rojas的回答很好,但我认为我应该发布一些在尝试开放端口时应该记住的事情。

首先要记住的是,“网络”部分被重命名为“VPC网络”。因此,如果您试图找出防火墙规则选项可用的地方,请查看VPC网络。

第二件事是,如果您试图在Linux虚拟机上打开端口,请确保在任何情况下都不应该尝试使用ufw命令打开端口。我尝试使用它,但失去了对虚拟机的ssh访问。所以不要重复我的错误。

第三件事是,如果你试图在Windows虚拟机上开放端口,你需要在虚拟机内部创建防火墙规则,也在Windows防火墙中创建VPC网络->防火墙规则。端口需要在两个防火墙规则中都打开,不像Linux VM。因此,如果您无法从虚拟机外部访问端口,请检查是否在GCP控制台和Windows防火墙中都打开了端口。

最后一件(显而易见的)事情是,不要不必要地打开端口。关闭端口,一旦你不再需要它。

我希望这个答案对你有用。