Introduction SSH connection failures to Google Compute Engine instances block all administrative access. This can be caused by firewall rules, SSH key misconfiguration, OS Login issues, or the SSH daemon not running.

Symptoms - `ssh user@<external-ip>` returns "Connection refused" or "Connection timed out" - gcloud compute ssh fails with permission denied - Browser-based SSH in Cloud Console shows "Unable to connect"

Common Causes - Firewall rule not allowing port 22 from the source IP - SSH key removed from instance metadata or OS Login disabled - SSH daemon (sshd) crashed or not running - Disk full preventing SSH login - OS Login enabled but IAM roles removed

Step-by-Step Fix 1. **Check firewall rules**: ```bash gcloud compute firewall-rules list --filter="name~'ssh'" ```

  1. 1.Use serial console to debug:
  2. 2.```bash
  3. 3.gcloud compute instances get-serial-port-output <instance-name> --zone <zone>
  4. 4.`
  5. 5.Enable interactive serial console:
  6. 6.```bash
  7. 7.gcloud compute instances add-metadata <instance-name> --zone <zone> --metadata serial-port-enable=TRUE
  8. 8.gcloud compute connect-to-serial-port <instance-name> --zone <zone> --port=2
  9. 9.`
  10. 10.Reset SSH keys via metadata:
  11. 11.```bash
  12. 12.gcloud compute instances add-metadata <instance-name> --zone <zone> \
  13. 13.--metadata "ssh-keys=$(whoami):$(cat ~/.ssh/id_rsa.pub)"
  14. 14.`

Prevention - Keep default-allow-ssh firewall rule enabled - Use OS Login with proper IAM roles - Monitor disk usage to prevent full-disk SSH lockout - Enable serial port access for emergency situations - Use IAP for TCP forwarding as an alternative to direct SSH