Also read : Service Accounts as a superior way to do Firewall Rules in GCP  and Firewall Policies in GCP

Which Rules apply where?

  • For Load Balancers?  Cloud Armor is ideally suited to define firewall rules (aka security policies). Google Cloud Armor security policies enable you to allow, deny, or redirect requests to your external HTTP(S) load balancer at the Google Cloud edge, as close as possible to the source of incoming traffic.
  • For App Engine? Use App Engine Firewall Rules
  • For Compute Engine VMs  - DEFAULT VPC has some default rules AND the Implied Rules.

Best Practices for GCP Firewall Policies

Some general best practices when working with Firewall policies in GCP (Note that, unlike Security Groups in AWS, these are true ALLOW / DENY rules like that used by a firewall appliance)

  1. Always apply BLOCK / DENY rules at the top level (Org or Folder Level)
  2. Apply ALLOW rules at a VM level - using the service account of the VM that is running under.
  3. Rules are either ingress or egress not both. Though, rules are stateful - so when applied to a connection, the return traffic is automatically allowed / denied
  4. When defining a rule, you must pick a VPC. Even though the actual rule is applied at the VM level, the definition is at a VPC level.