Protect your Google Cloud Instances with Firewall Rules

  1. They allow you to isolate your internal network and instances from unwanted access.
  2. They allow you to monitor inbound and outbound activity coming from your network for suspicious activity, blocking items that are considered dangerous based on a set of security rules.
  3. They establish the first line of defense against attacks, viruses, and malware, and helps create a secure network. So let’s take a look at firewalls more closely.

Don’t let the firewall be the choke point

Google’s distributed firewall

  • An action: either to allow or deny traffic. That is, a rule can either allow incoming (ingress) or outgoing (egress) traffic, but not both simultaneously.
  • The type of protocol to which it applies, such as TCP, UDP, ICMP, and IPIP.
  • Either a source or a destination for which the rule applies. This cannot be both, as it depends on the direction of the firewall you create. For example, for ingress rules, you would specify the source, which can be IP ranges, tags, or service accounts (or a combination). You wouldn’t specify a destination, because the rule is already being applied to a specific VM’s inbound traffic. Conversely, for egress rules, you wouldn’t specify the source, because the rule is already being applied to that source VM’s outbound traffic.
  • The ports to which the rule applies. You can specify the ports on ingress or egress rules. For example, allowing ingress TCP traffic on port 22 to allow for SSH access. You can also deny a VM’s egress TCP traffic on all ports for all destination VMs in an IP range.

Firewall rule set up

Your Wish Is Your Command

gcloud compute firewall-rules create vm1-allow-ingress-tcp-port80-from-subnet1 \
--network my-network \
--action allow \
--direction ingress \
--rules tcp:80 \
--source-ranges 10.240.10.0/24 \
--priority 50 \
--target-tags webserver
gcloud compute firewall-rules describe [FIREWALL_RULE_NAME]

Firewall rules logging

Now what?

  1. Deep dive on Firewall rules here.
  2. Subscribe to the GCP Youtube channel and follow my video series Networking End-to-End.
  3. Check out Networking 103 where I discuss firewall rules with Networking Specialist, Binal Shah.
  4. Want more content? Follow me on Twitter @swongful.
  5. And check out the Google’s Cloud events near you.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Stephanie Wong

Stephanie Wong

Google Cloud Developer Advocate and producer of awesome online content. Creator of the series, GCP Networking End-to-End; host of Google’s Next onAir. @swongful