As you can see the default rules allow basic connectivity to enable ping to and log in to the server.
Do you need more than this?
I am sure you do. That’s where you need to know how to configure based on needs.
GCP firewall is software-defined rules; you don’t need to learn or log in to conventional firewall hardware devices.
Google Cloud firewall rules are stateful. All the configuration is done either through GCP Console or commands. However, I’ll explain how to do using a console.
Firewall rules are available under the VPC network in the networking section on the left side menu.
When you click on create a firewall rule, it will ask you the connectivity details. Let’s understand what all options we have and what does that mean.
Name – Name of the firewall (only in lowercase and no space is allowed)
Description – optional but good to enter something meaningful, so you remember in future
Network – If you haven’t created any VPC then you will see only default and leave it as it is. However, if you have multiple VPC then select the network where you want to apply the firewall rules.
Priority – rule priority applied to the network. Lowest got the highest priority, and it starts at 1000. In most cases, you want to keep all critical services (HTTP, HTTPS, etc.) with priority 1000.
Direction of traffic – select the flow type between ingress (incoming) and outgress (outgoing).
Action on match – choose if you want to allow or deny
Targets – the target where you want to apply the rules. You have an option to apply the rules to all the instances in the network, only allow on specific tags or service account.
Source filter – a source which will be validated to either allow or deny. You can filter by IP ranges, subnetworks, source tags, and service accounts.
Source IP ranges – if selected IP range in source filter which is default then provide the range of IP which will be permitted.
Second source filter – multiple source validations are possible.
Ex: you can have the first source filter as source tags and second filter as a service account. Whichever match it will be allowed/denied.
Protocol and ports – you can either select all the ports or specify individual ones (TCP/UDP). You can have multiple unique ports in a single rule.
Let’s explore real-time scenarios…
You’ve changed SSH port from 22 to something else (let’s say 5000) for security reasons. Since then, you can’t get into a VM.
Well, you can easily guess because port 5000 is not allowed in the firewall. To allow, you need to create a firewall rule as below.
Provide a rule name
Choose ingress in the direction of traffic
Choose to allow for action of the match
Select all instances in a network in the target (assuming you want to connect to any VM with port 5000)
Select IP ranges in source filter (assuming you want to connect from ANY sources)
Provide source IP ranges as 0.0.0.0/0
Select specified protocols and ports and enter tcp:5000
Try to connect your VM with port 5000, and it should be ok.
Some of the best practices for managing firewall rules.
Allow only what is required (need-basis)
Wherever possible, specify individual source IP or ranges instead of 0.0.0.0/0 (ANY)
Associate VM instances with the tags and use that in the target instead of all instances
Combine multiple ports in a single rule for matching source and destination
Review firewall rules periodically
GCP graphical interface is easy to understand and manage.
I hope this gives you an idea of managing firewalls. If interested in learning GCP then I would suggest checking out this course.
As the founder of Geekflare, I’ve helped millions to excel in the digital realm. Passionate about technology, I’m on a mission to explore the world and amplify growth for professionals and businesses alike.