• Get application security done the right way! Detect, Protect, Monitor, Accelerate, and more…
  • Wondering how to allow or deny network flow on Google Cloud Platform (GCP?

    Every project you create in GCP comes with the default firewall rules.

    Let’s explore what are they.

    • default-allow-icmp – allow from any source to all the network IP. ICMP protocol is mostly used to ping the target.
    • default-allow-internal – allow connectivity between instances on any port.
    • default-allow-rdp – allow RDP session to connect to Windows servers from any source.
    • default-allow-ssh – enable SSH session to connect to UNIX servers from any source.

    As you can see the default rules allow basic connectivity to enable ping to and log in to the server.

    Do you need more than this?

    I am sure you do. That’s where you need to know how to configure based on needs.

    GCP firewall is software-defined rules; you don’t need to learn or log in to conventional firewall hardware devices.

    Google Cloud firewall rules are stateful.  All the configuration is done either through GCP Console or commands. However, I’ll explain how to do using a console.

    Firewall rules are available under the VPC network in the networking section on the left side menu.

    When you click on create a firewall rule, it will ask you the connectivity details. Let’s understand what all options we have and what does that mean.

    Name – Name of the firewall (only in lowercase and no space is allowed)

    Description – optional but good to enter something meaningful, so you remember in future

    Network – If you haven’t created any VPC then you will see only default and leave it as it is. However, if you have multiple VPC then select the network where you want to apply the firewall rules.

    Priority – rule priority applied to the network. Lowest got the highest priority, and it starts at 1000. In most cases, you want to keep all critical services (HTTP, HTTPS, etc.) with priority 1000.

    Direction of traffic – select the flow type between ingress (incoming) and outgress (outgoing).

    Action on match – choose if you want to allow or deny

    Targets – the target where you want to apply the rules. You have an option to apply the rules to all the instances in the network, only allow on specific tags or service account.

    Source filter – a source which will be validated to either allow or deny. You can filter by IP ranges, subnetworks, source tags, and service accounts.

    Source IP ranges – if selected IP range in source filter which is default then provide the range of IP which will be permitted.

    Second source filter – multiple source validations are possible.

    Ex: you can have the first source filter as source tags and second filter as a service account. Whichever match it will be allowed/denied.

    Protocol and ports – you can either select all the ports or specify individual ones (TCP/UDP). You can have multiple unique ports in a single rule.

    Let’s explore real-time scenarios…

    You’ve changed SSH port from 22 to something else (let’s say 5000) for security reasons. Since then, you can’t get into a VM.

    Why?

    Well, you can easily guess because port 5000 is not allowed in the firewall. To allow, you need to create a firewall rule as below.

    • Provide a rule name
    • Choose ingress in the direction of traffic
    • Choose to allow for action of the match
    • Select all instances in a network in the target (assuming you want to connect to any VM with port 5000)
    • Select IP ranges in source filter (assuming you want to connect from ANY sources)
    • Provide source IP ranges as 0.0.0.0/0
    • Select specified protocols and ports and enter tcp:5000
    • Click create

    Try to connect your VM with port 5000, and it should be ok.

    Some of the best practices for managing firewall rules.

    • Allow only what is required (need-basis)
    • Wherever possible, specify individual source IP or ranges instead of 0.0.0.0/0 (ANY)
    • Associate VM instances with the tags and use that in the target instead of all instances
    • Combine multiple ports in a single rule for matching source and destination
    • Review firewall rules periodically

    GCP graphical interface is easy to understand and manage.

    I hope this gives you an idea of managing firewalls. If interested in learning GCP then I would suggest checking out this course.