Cannot connect to VNC server on Docker containers running on Google Compute Instance VM

Question

I'm using the following docker-compose.yml in my google compute engine VM instance, which I invoke via the docker compose up command in the compute engine instance. Both the services aaa and bbb run a VNC server so that I may monitor a GUI dashboard remotely for each service from my local machine.

If I invoke the very same docker compose file on my local machine (an M1 mac), I'm able to successfully connect via vncviewer by connecting to localhost:5900 and localhost:5901.

However when my docker containers are running on the google compute engine instance, the connection (say external.IP:5900) to the external IP fails with a timeout.

version: "3.4"

services:
  aaa:
    image: gcr.io/my-nginx-363907/aaa
    volumes:
      - ./pystoredata:/root/pystore
    ports:
      - 5900:5900
      - 4002:4002
      - 4004:4004
    restart: on-failure
  
  bbb:
    image: gcr.io/my-nginx-363907/bbb
    volumes:
      - ./pystoredata:/root/pystore
    ports:
      - 5901:5901
    restart: on-failure
    depends_on:
      - aaa

Here's the output of netstat -lntp on the compute engine instance:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:5900            0.0.0.0:*               LISTEN      6120/docker-proxy
tcp        0      0 0.0.0.0:5901            0.0.0.0:*               LISTEN      6270/docker-proxy
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      507/sshd: /usr/sbin
tcp        0      0 0.0.0.0:4002            0.0.0.0:*               LISTEN      6164/docker-proxy
tcp        0      0 0.0.0.0:4004            0.0.0.0:*               LISTEN      6141/docker-proxy
tcp6       0      0 :::5900                 :::*                    LISTEN      6127/docker-proxy
tcp6       0      0 :::5901                 :::*                    LISTEN      6277/docker-proxy
tcp6       0      0 :::22                   :::*                    LISTEN      507/sshd: /usr/sbin
tcp6       0      0 :::4002                 :::*                    LISTEN      6170/docker-proxy
tcp6       0      0 :::4004                 :::*                    LISTEN      6149/docker-proxy

How do I connect my vnc client on my local machine to the two docker containers running on the compute engine instance?

Edit

In order to address the concerns raised by @divyang4481 and @Slava Kuravsky here are my firewall settings. It appears, to my eye at least, that the ports 5900, and 5901 are already enabled/open and yet I'm unable to connect to the vncserver running on my containers. Let me know if I'm missing something.

Answer 1

This problem is due to Firewall, you need to open 5901, 5900, 4002, 4004 port

For GCP, firewalls are managed using “Firewall Rules,” which are sets of allowed/denied ports with other settings like source IP filter. The firewall rule can be applied to every instance in the account, but you’re supposed to set a “target tag,” such as “VNC” or “VNC-server,” which can be added to any compute engine instance to open the specified ports.

Then you have to set rule in firewall of VPC. For Target Tags, give the rule a name to identify it. For the source IP range, there isn’t an option for “anywhere,” so you’ll need to manually type in 0.0.0.0/0—CIDR notation for all possible IP addresses.

and make sure to allow port forwarded in your computer engine/VM instance

network:
  forwarded_ports:
  - 5900
  instance_tag: vnc