问题描述

今天，我尝试使用 Google Cloud Platform 制作博客.

Today, I tried to make a blog with Google Cloud Platform.

因此，我制作了一个计算机引擎实例并在 Ubuntu 16 上安装了 Apache2.

So, I made a Computer Engine Instance and install Apache2 on Ubuntu 16.

然后，单击外部 IP 地址，但它显示连接被拒绝.."

And then, clicked the Outer IP address, but it show me "connection denied.."

为什么会这样?

我也允许 HTTPS % HTTP 流量.

I allowed HTTPS % HTTP Traffic also.

而且我找不到像 AWS 的安全组这样的菜单...

And I can't find a menu like AWS's Security Group...

所以，这个问题让我很恼火……

So, this problem irritate me...

(我不是英语母语，所以文档很难阅读......请给我一个关于这个问题的提示)

(I'm not a English native, so documentation is so hard read.. please, give me a tip for this matter)

推荐答案

TL;DR - 您需要使用防火墙规则打开端口以允许入口流量进入您的 VM.

TL;DR - You need to open up ports using firewall rules to allow ingress traffic into your VMs.

默认情况下，Google 计算引擎 (GCE) 会阻止所有到您的虚拟机的流量 以确保您的基础架构安全.您可以根据需要打开端口并自行管理安全性.默认创建的网络在允许来自网络中其他虚拟机的流量方面几乎没有例外，但仍然不允许来自网络外部的流量.

Google Compute Engine (GCE) blocks all traffic to your VMs by default for the purpose of keeping your infrastructure secure. You can open up ports as needed and manage the security yourself. The default created network has few exceptions in terms of allowing traffic from other VMs in the network, but still does not allow traffic from outside the network.

每个 VPC 网络都有自己的防火墙控制对实例.

所有到实例的流量，甚至来自其他实例的流量，都被防火墙，除非创建防火墙规则以允许它.例外是自动创建的默认 VPC 网络项目.此网络具有某些自动创建的 default防火墙规则.

All traffic to instances, even from other instances, is blocked by the firewall unless firewall rules are created to allow it. The exception is the default VPC network that is created automatically with each project. This network has certain automatically created default firewall rules.

对于除自动创建的default VPC 之外的所有 VPC 网络网络，您必须创建您需要的任何防火墙规则.允许手动创建的 VPC 网络上的传入网络连接，您需要设置防火墙规则以允许这些连接.每个防火墙规则表示确定什么的单个规则允许连接进入或离开实例.有可能的有许多规则，并与这些规则一样普遍或具体根据您的需要.例如，您可以创建一个防火墙规则，允许通过端口 80 到所有实例的所有流量，或者您可以创建规则只允许从一个特定 IP 或 IP 范围到一个的流量具体实例.

For all VPC networks except the automatically created default VPC network, you must create any firewall rules you need. To allow incoming network connections on a manually created VPC network, you need to set up firewall rules to permit these connections. Each firewall rule represents a single rule that determines what connections are permitted to enter or leave instances. It is possible to have many rules and to be as general or specific with these rules as you need. For example, you can create a firewall rule that allows all traffic through port 80 to all instances, or you can create a rule that only allows traffic from one specific IP or IP range to one specific instance.

防火墙规则是连接跟踪，因此只规范初始连接.一旦与一个连接建立例如，允许双向通行连接.

Firewall rules are connection tracking, and therefore only regulate the initial connection. Once a connection has been established with an instance, traffic is permitted in both directions over that connection.

既然你在 Ubuntu 上说 apache2 包，我在这里分享的说明将指导你如何在你的虚拟机上打开端口 80 并让它通过虚拟机的访问公网IP.您可以根据需要对任何其他端口执行相同操作.

Since you say apache2 package on Ubuntu, the instructions I share here will guide you on how to open up port 80 on your VM and make it accessible through the VM's public IP. You can do the same for any additional ports as needed.

# Create a new firewall rule that allows INGRESS tcp:80 with VMs containing tag 'allow-tcp-80'
gcloud compute firewall-rules create rule-allow-tcp-80 --source-ranges 0.0.0.0/0 --target-tags allow-tcp-80 --allow tcp:80

# Add the 'allow-tcp-80' tag to a VM named VM_NAME
gcloud compute instances add-tags VM_NAME --tags allow-tcp-80

# If you want to list all the GCE firewall rules
gcloud compute firewall-rules list

使用 Cloud Console 允许 tcp 的入口流量:80 进入你的虚拟机

Using Cloud Console to allow ingress traffic for tcp:80 into your VM

1. 菜单 ->网络 ->防火墙规则
2. 创建防火墙规则

3. 为防火墙规则选择以下设置:

1. Menu -> Networking -> Firewall Rules
2. Create Firewall Rule

3. Choose the following settings for the firewall rule:

规则的
1. Name - rule-allow-tcp-80 或您喜欢的任何其他防火墙规则名称.
2. Direction 是 ingress
3. 匹配动作是Allow
4. Targets 是指定的目标标签
5. 目标标签是allow-tcp-80
6. 源 IP 范围 是 0.0.0.0/0(或者，如果您有一组 IP 范围，您知道将是唯一访问它的 IP 范围，请使用它们代替更强的限制)
7. 协议和端口是tcp:80
8. 选择Create按钮来创建这个防火墙规则.

1. Name for the rule - rule-allow-tcp-80 or any other name you prefer for this firewall rule.
2. Direction is ingress
3. Action on match is Allow
4. Targets is Specified target tags
5. Target tags is allow-tcp-80
6. Source IP ranges is 0.0.0.0/0 (or if you have a set of IP ranges you know will be the only ones accessing this, use them instead for stronger restriction)
7. Protocols and ports is tcp:80
8. Select Create button to create this firewall rule.

现在给它几秒钟到几分钟的时间让更改生效，您将能够访问 jenkins 网址.

Now give it a few seconds to a few minutes for the changes to take effect and you will be able to access the jenkins web URL.

您还可以阅读有关防火墙规则 以更好地了解它们的工作方式以及如何配置它们.

You can also go through the documentation for Firewall rules to get a better understanding of how they work and how to configure them.

警告:通过使用0.0.0.0/0 的源范围，您将向整个 Internet 开放 VM 上的端口.这使世界上任何地方的客户端都可以连接到在此端口上运行的应用程序.充分意识到这样做的安全隐患.

WARNING: By using a source range of 0.0.0.0/0, you're opening up the port on the VM to the entire internet. This lets clients anywhere in the world to connect to the application running on this port. Be fully aware of the security implications of doing this.