I am experiencing an ERR_CONNECTION_TIMED_OUT when trying to access my GCE VM from the public internet on port 80. I have run an exhaustive series of checks and can confirm the following:
Application Works Locally: A Dockerized Nginx server is running on the VM. curl http://localhost from inside the VM returns a 200 OK.
DNS is Correct: My domain’s A record points to the correct static external IP.
VPC Firewall is Correct: I have a VPC firewall rule with priority 900 that allows INGRESS traffic on tcp:80 from 0.0.0.0/0 to all instances on the network.
OS Firewall is Correct: The VM’s internal iptables has a default ACCEPT policy for the INPUT chain and is not blocking traffic.
The Issue Persists with New IPs: I have tried this with two different static external IP addresses, and both are unreachable.
Given these facts, it seems a higher-level Organizational Policy or another platform-level configuration is silently dropping the packets. Since I do not have a support plan, I cannot open a formal ticket.
Can anyone suggest how a solo administrator can diagnose or request an exception for a suspected overriding Organizational Firewall Policy? Is there a default-deny policy on new organizations that I need to be aware of?
Project ID:(PII Removed by Staff)Instance Name:(PII Removed by Staff)Zone:europe-west6-c
ERR_CONNECTION_TIMED_OUT clearly means the web server is unreachable.
GCP projects are part of a resource hierarchy. A firewall rule set on a parent folder or organisation might block the traffic and you might not have permission to see it.
But first, double-check your firewall rule at the project level:
Is it attached to the correct VPC (default?)
Are the targets correct? (all instances, tags, service accounts?)
Is the action set to allow ?
Is there another blocking rule with a higher priority (lower number) ?
If your rule looks fine, then it might be blocked by a parent-level policy. You’re probably not working alone on this project, right?
I took the time to boot a VM, pull an Nginx image, run the container with port 80 exposed and create the corresponding firewall rule, it worked seamlessly
You may also check the provided example in the documentation which demonstrates priorities associated with the network tags.
And for Hierarchical firewall policies, if defined by an organization admin, can introduce deny rules that override VPC rules.
Google Cloud’s Organization Policy Service can enforce constraints that restrict resource configurations, such as disabling external IP access or enforcing specific firewall behaviors.
