By default you can access HTTP ports 80 and ports 1024 to 65535 on yourworkstations from your browser. You can restrict the ports you can access onyour workstations by setting allowedPortsin the workstation configuration.
Running workstations have a host property that you can useto connect using HTTP from a remote browser. You can find the host property bygetting details for a running workstation through the API, Google Cloud CLI,the Google Cloud console, or by printing the $WEB_HOST environment variable,which is automatically set inside your workstation.The URL connects on port 80 by default.
Default workstation URL format
The host property URL uses the following format by default:
https://PORT-WORKSTATION_NAME.CLUSTER_ID.cloudworkstations.devThe placeholders represent the following:
PORT: the port number, which is port80by default.WORKSTATION_NAME: the workstation name.CLUSTER_ID: the randomly generated cluster identifiercloudworkstations.dev: the default domain name for a workstation.URLs for custom domains use a different format. For more about setting upcustom domains in Cloud Workstations, seeSet up custom domains for Cloud Workstations.
Connect to a different port by changing the URL
In order to connect on a different port, specify a different port number as aprefix. For example, the following URL connects to port 9900:
https://9900-myworkstation.cluster-12345abcde.cloudworkstations.devIn this example, note the following:
9900: represents the port number.myworkstation: represents the workstation ID.cluster-12345abcde: represents the cluster identifier.cloudworkstations.dev: represents the default domain name for a workstation.
These URLs require user authentication. To access these URLs,you must be logged in and must have the Cloud Workstations User IAMrole, roles/workstations.user, or the workstations.workstations.usepermission.
Connecting to an HTTP app from Google Cloud console
You can connect to an HTTP app running on a workstation from theGoogle Cloud console.
For any running workstation that you have permissions to use, you see aLaunch button. By default, this button connects on port 80. You canclick the arrow_drop_downexpanderarrow next to Launch to see alternative connecting options. TheConnect to web app on port option lets you specify a different port toconnect to.
Connecting to an HTTP app from the base editor
To connect to an app running on your workstation from the base editor, follow either of these instructions:
Click localhost links in the terminal. The base editor automaticallyredirects localhost links to the right URLs.
To open a terminal window, click menuMenu>Terminal>New Terminal.Alternatively, press Control+Shift+` (orCommand+Shift+` on macOS).
At the command prompt, run the following command to display thelocalhost link:
echo http://localhost:PORTReplace
PORTwith a port number such as80or8080.Hold Control (or Command on macOS) and then clickthe localhost link.
This opensPORT-WORKSTATION-HOSTNAMEin your browser.
Use the browser window: navigate to
https://PORT-WORKSTATION-HOSTNAME,wherePORTis the port number andWORKSTATION-HOSTNAMEis your workstationhostname.
Restricting port access for a workstation
To restrict the ports that can be accessed on a workstations, set theallowedPorts in the workstation configurations.
To restrict a single port, set the PortRangefirst and last fields to the same port number.
By default ports 22, 80 and 1024-65535 are allowed.
To create a workstation configuration with restricted port access to 80 and8080 to 8100, run the following Google Cloud CLI command:
gcloud beta workstations configs create CONFIG \ --cluster=CLUSTER \ --region=REGION \ --project=PROJECT \ --allowed-ports=first=80,last=80 \ --allowed-ports=first=8080,last=8100
CORS preflight requests
By default, the workstations service makes sure that all requests to theworkstation are authenticated with acookie or authentication header.
Cross-Origin Resource Sharing (CORS) preflight requests don't include cookiesor custom headers, and so are considered unauthenticated and blocked by theworkstations service. Administrators canoptionally allow unauthenticated CORS preflight requests through tothe workstation, where it becomes the responsibility of the destinationserver in the workstation to validate the request.
To allow unauthenticated CORS preflight requests, run the followingGoogle Cloud CLI command:
gcloud beta workstations configs update CONFIG \ --cluster=CLUSTER \ --region=REGION \ --project=PROJECT \ --allow-unauthenticated-cors-preflight-requests
