By default you can access HTTP ports 80
and ports 1024
to 65535
on yourworkstations from your browser. You can restrict the ports you can access onyour workstations by setting allowedPortsin the workstation configuration.
Running workstations have a host
property that you can useto connect using HTTP from a remote browser. You can find the host
property bygetting details for a running workstation through the API, Google Cloud CLI,the Google Cloud console, or by printing the $WEB_HOST
environment variable,which is automatically set inside your workstation.The URL connects on port 80
by default.
Default workstation URL format
The host
property URL uses the following format by default:
https://PORT-WORKSTATION_NAME.CLUSTER_ID.cloudworkstations.dev
The placeholders represent the following:
PORT
: the port number, which is port80
by default.WORKSTATION_NAME
: the workstation name.CLUSTER_ID
: the randomly generated cluster identifiercloudworkstations.dev
: the default domain name for a workstation.URLs for custom domains use a different format. For more about setting upcustom domains in Cloud Workstations, seeSet up custom domains for Cloud Workstations.
Connect to a different port by changing the URL
In order to connect on a different port, specify a different port number as aprefix. For example, the following URL connects to port 9900
:
https://9900-myworkstation.cluster-12345abcde.cloudworkstations.dev
In this example, note the following:
9900
: represents the port number.myworkstation
: represents the workstation ID.cluster-12345abcde
: represents the cluster identifier.cloudworkstations.dev
: represents the default domain name for a workstation.
These URLs require user authentication. To access these URLs,you must be logged in and must have the Cloud Workstations User IAMrole, roles/workstations.user
, or the workstations.workstations.use
permission.
Connecting to an HTTP app from Google Cloud console
You can connect to an HTTP app running on a workstation from theGoogle Cloud console.
For any running workstation that you have permissions to use, you see aLaunch button. By default, this button connects on port 80
. You canclick the arrow_drop_downexpanderarrow next to Launch to see alternative connecting options. TheConnect to web app on port option lets you specify a different port toconnect to.
Connecting to an HTTP app from the base editor
To connect to an app running on your workstation from the base editor, follow either of these instructions:
Click localhost links in the terminal. The base editor automaticallyredirects localhost links to the right URLs.
To open a terminal window, click menuMenu>Terminal>New Terminal.Alternatively, press Control+Shift+` (orCommand+Shift+` on macOS).
At the command prompt, run the following command to display thelocalhost link:
echo http://localhost:PORT
Replace
PORT
with a port number such as80
or8080
.Hold Control (or Command on macOS) and then clickthe localhost link.
This opensPORT-WORKSTATION-HOSTNAME
in your browser.
Use the browser window: navigate to
https://PORT-WORKSTATION-HOSTNAME
,wherePORT
is the port number andWORKSTATION-HOSTNAME
is your workstationhostname.
Restricting port access for a workstation
To restrict the ports that can be accessed on a workstations, set theallowedPorts
in the workstation configurations.
To restrict a single port, set the PortRange
first
and last
fields to the same port number.
By default ports 22
, 80
and 1024
-65535
are allowed.
To create a workstation configuration with restricted port access to 80
and8080
to 8100
, run the following Google Cloud CLI command:
gcloud beta workstations configs create CONFIG \ --cluster=CLUSTER \ --region=REGION \ --project=PROJECT \ --allowed-ports=first=80,last=80 \ --allowed-ports=first=8080,last=8100
CORS preflight requests
By default, the workstations service makes sure that all requests to theworkstation are authenticated with acookie or authentication header.
Cross-Origin Resource Sharing (CORS) preflight requests don't include cookiesor custom headers, and so are considered unauthenticated and blocked by theworkstations service. Administrators canoptionally allow unauthenticated CORS preflight requests through tothe workstation, where it becomes the responsibility of the destinationserver in the workstation to validate the request.
To allow unauthenticated CORS preflight requests, run the followingGoogle Cloud CLI command:
gcloud beta workstations configs update CONFIG \ --cluster=CLUSTER \ --region=REGION \ --project=PROJECT \ --allow-unauthenticated-cors-preflight-requests