Unable to SSH into my Compute Engine VM instance on Google Cloud

Question

I am trying to SSH into my compute engine VM instance on Google Cloud.

I am following the instructions to set up a regional external HTTP(S) load balancer with VM instance group backends

I have created a firewall rule to allow SSH traffic.

gcloud compute firewall-rules describe fw-allow-ssh returns:

allowed:
- IPProtocol: tcp
  ports:
  - '22'
creationTimestamp: '2022-09-13T07:55:49.187-07:00'
description: ''
direction: INGRESS
disabled: false
id: '3158638846670612250'
kind: compute#firewall
logConfig:
  enable: false
name: fw-allow-ssh
network: https://www.googleapis.com/compute/v1/projects/possible-post-360304/global/networks/default
priority: 1000
selfLink: https://www.googleapis.com/compute/v1/projects/possible-post-360304/global/firewalls/fw-allow-ssh
sourceRanges:
- 0.0.0.0/0
targetTags:
- load-balanced-backend

Apart from that, I have two more firewall rules: fw-allow-health-check and fw-allow-proxies.

gcloud compute firewall-rules describe fw-allow-health-check returns:

allowed:
- IPProtocol: tcp
  ports:
  - '80'
creationTimestamp: '2022-09-12T21:29:49.688-07:00'
description: ''
direction: INGRESS
disabled: false
id: '2007525931317311954'
kind: compute#firewall
logConfig:
  enable: false
name: fw-allow-health-check
network: https://www.googleapis.com/compute/v1/projects/possible-post-360304/global/networks/lb-network
priority: 1000
selfLink: https://www.googleapis.com/compute/v1/projects/possible-post-360304/global/firewalls/fw-allow-health-check
sourceRanges:
- 130.211.0.0/22
- 35.191.0.0/16
targetTags:
- load-balanced-backend

gcloud compute firewall-rules describe fw-allow-proxies returns:

allowed:
- IPProtocol: tcp
  ports:
  - '80'
  - '443'
  - '8080'
creationTimestamp: '2022-09-12T21:33:19.582-07:00'
description: ''
direction: INGRESS
disabled: false
id: '3828652160003716832'
kind: compute#firewall
logConfig:
  enable: false
name: fw-allow-proxies
network: https://www.googleapis.com/compute/v1/projects/possible-post-360304/global/networks/lb-network
priority: 1000
selfLink: https://www.googleapis.com/compute/v1/projects/possible-post-360304/global/firewalls/fw-allow-proxies
sourceRanges:
- 10.129.0.0/23
targetTags:
- load-balanced-backend

When I try to SSH into my VM instance from the browser, I get the following error:
Cloud IAP for TCP forwarding is not currently supported for google.com projects; attempting to use the legacy relays instead. If you are connecting to a non google.com project, continue reading. Please consider adding a firewall rule to allow ingress from the Cloud IAP for TCP forwarding netblock to the SSH port of your machine to start using Cloud IAP for TCP forwarding for better performance. and in due course:
We are unable to connect to the VM on port 22.

What am I doing wrong here please. Any guidance would be of great help.

Thank you!

Answer 1

I might not know the context and all you details, but in my personal experience -

If your firewalls are configured correctly - you should be able to make a SSH connection from some host over the 'internet' - i.e. from you local machine. Identity-Aware Proxy is not required at all.

If you would like to make a SSH connection from the UI console (from the SSH 'button' in the browser), you might need to

1/ make sure that the relevant API is enabled and you are ready to pay to such access - see an Identity-Aware Proxy overview and Identity-Aware Proxy (API) in the console.

2/ the firewalls are configured correctly to allow SSH access from the relevant Google's IP range (i.e. 35.235.240.0/20 and those who need such access have relevant IAM roles - see Using IAP for TCP forwarding

3/ check that the VM you would like to connect - has a 'tag' mentioned in the firewall rules (if tags are used).