Overview

Network tags as logical labels that you can apply to VMs. The tags are defined independently, but referenced during the creation of a firewall rule.

Use Case - Allow all HTTPs ingress to a set of VMs (Webserver VMs)

For multiple VMs in a web server cluster, one can assign the network tag webserver . Create a firewall rule to  allow HTTPs ingress from any source to a webserver tag.

Use Case - You want a handful of VMs in subnet a to be allowed into subnet b.  How would you do this?

Create a Firewall Rule (in subnet b), that ALLOWs traffic from a NETWORK tag (first create the tag).  This is possible in GCP, because network tags are an abstraction that can be used on Compute Engine resources (can be attached to resources).

Now, simply attach that tag to specific VMs in subnet-a.

IAM and Network Tags

Network tags can be added or removed from VMs by users with ownereditor, or compute instance admin roles. You could optionally create a custom role for users managing VMs with all the permissions of the compute instance admin role, except the permission to set tags.

Thus, adding or removing tags can be controlled by a deployment pipeline or another automated mechanism that involves an approval stage.

Summary

Firewall rules based on network tags are powerful constructs in GCP. For effective, granular traffic control between subnet to subnet traffic, use network tags along with GCP Firewall rules.

Need an experienced Cloud Professional to help out with your Public Cloud Strategy? Set up a time with Anuj Varma.