What is the gcloud command to allow http traffic on a VM instance? (It's not create firewall rule!)

Solved. I don't entirely understand what is going on behind the scenes, but the solution to this requires the use of "tags" which associate firewall rules on the network with the VM instance. As far as I can see at this point, this is only pertinent for http and https. Other ports that are open on the network and the VM seem to work without this additional piece.

If you view your firewall rules, you'll probably see the port 80 and 443 rules have the tags "http-server" and "https-server" respectively. If they don't, you'll need to add those (or other tags of your choosing). It turns out the instance needs those tags added to it as well.

To add the tags to an existing VM instance, use this gcloud command:

gcloud compute instances add-tags [YOUR_INSTANCE_NAME] --tags http-server,https-server

To add the tags at the time of the instance creation, include that flag in your statement:

gcloud compute instances create [YOUR_INSTANCE_NAME] --tags http-server,https-server

If you look in the GCE gui, you'll see those "Allow http traffic" and "Allow https traffic" checkboxes are checked after doing that. Requests and responses then flow across ports 80 and 443 as expected.


One of the super helpful things the Google Cloud Console offers is a link at the bottom of the create for most resources for the REST API and command line to create the same resource. I am challenging myself to be able to do everything I can do in the console from SDK command line, so I use this often when I have a question like yours.

Having the same question as above, in the console I created a VM and selected "Allow HTTP traffic". Looking at the command line for this, you will see two commands. The first is the create command with the tag as noted above (http-server):

gcloud beta compute --project=XXXX instances create cgapperi-vm1 \
--zone=XXXXX --machine-type=f1-micro --subnet=default \
--tags=http-server --image=debian-10-buster-v20200413 \
--image-project=debian-cloud --boot-disk-size=10GB \
--boot-disk-type=pd-standard --boot-disk-device-name=cgapperi-vm1 \
--no-shielded-secure-boot --shielded-vtpm --shielded-integrity-monitoring \
--reservation-affinity=any

The second actually creates the firewall rule (default-allow-http) for you, and sets the target for requests to the http-server tag (--target-tags=http-server) on tcp port 80 (--rules=tcp:80) from incoming requests (--direction=INGRESS) from all sources (--source-ranges=0.0.0.0/0):

gcloud compute --project=XXXX firewall-rules create default-allow-http \
--direction=INGRESS --priority=1000 --network=default --action=ALLOW \
--rules=tcp:80 --source-ranges=0.0.0.0/0 --target-tags=http-server

I hope this is helpful for anyone else.

NOTE: I did reduce the output of the gcloud compute instance create to relevant bits in order to reduce the clutter.