The virtual machine instance is up and running and can get the serial port login: prompt, but cannot connect via ssh. What would google's reasoning be for this behavior?
The VM instance does NOT have an external IP address by design.
My google cloud shell instance does not have a 10.240.0.0/16 IP address that my VM instance has, so i assume that is why i cannot ssh via cloud shell. Why would an instance need internet access from within the webbrowser based Cloud Shell?
ERROR: (gcloud.beta.compute.ssh) Instance [instance-centos7] in zone [us-zone-somewhere] does not have an external IP address, so you cannot SSH into it. To add an external IP address to the in stance, use [gcloud compute instances add-access-config].
Have restarted the Cloud Shell instance in the hopes it would be rebuilt with the correct ip addresses.
Project wide ssh keys are NOT blocked.
In the web browser, all SSH options are disabled and greyed out.
I can tail the serial port output to verify it stops and starts but not interact with it because i did not set a password.
Over the years, i have had several virtual instances that did not have a public IP address, but was able to connect fine in order to secure the machine before allowing access from the internet.
Based on the 10.240.0.0/16 ip subnet, it appears i have a legacy network.
Wanted a virtual machine host base machine that does not have direct access to the internet but which LXC containers would get a public IP.
Best Answer
Cloud Shell provides a limited shell for interactive use only as per the following documentation.
A Google Cloud Shell SSH connection allows users to connect to Google Compute Engine Virtual Machines from within the Google Cloud Platform Console. It differs from SSH connections made from Compute Engine VM instances because they are made from inside another VPC network and can be behind a firewall that if not set correctly can block connections.
Google Compute Engine Instances can be created with or without an external IP address. Creating an instance without an external IP address offers high level security since the instance cannot be directly accessed from the outside. We can still connect to the instance internal ip address from the public but only via other methods that have access to the internal IP address of the instance. These methods include ‘connecting through a VPN connection that has access to the internal IP address’ or through a ‘Bastion Host’ instance as per the following documentation.
Ensure that the ‘Block project-wide SSH keys’ option is not enabled when you create the VM instance or the instance will ignore project-wide SSH keys as per the documentation