Native GCP Firewall and Firewall Rules
Firewalls in GCP vs AWS
Defined at the VPC Level but applied at Subnet and Instance Level ( VPC serves as a distributed firewall)
One of the benefits of Google's SDN is that the rules can be defined at the highest networking element level (the VPC), but applied granularly at lower levels.
A rule is always defined at a VPC level (applied to the network as a whole), but can be applied to traffic between Subnets (subnet level), traffic between instances (instance level) and also PaaS services (these rules are managed within the service - e.g. App Engine).
Basically, connections are ALLOWED or DENIED at the instance level.
Implicit FW on a VM - Egress is allowed and Ingress is DENIED
Firewall Rules are Stateful (Only need to be defined one way)
Firewall Rules via 2 examples - VM to VM Single REGION
- DENY all inbound TCP traffic to instances tagged with
dbserver
gcloud compute firewall-rules create deny-instances-dbserver-access \ --network MY_NETWORK_NAME \ --action deny \ --direction ingress \ --rules tcp \ --source-ranges 0.0.0.0/0 \ --priority 1000 \ --target-tags dbserver
- ALLOW all IPs in a subnet e.g.
subnetA
(10.240.12.0/24
) to access TCP port80
on instances tagged withWEB
.gcloud compute firewall-rules create instance-allow-ingress-tcp-port80-from-subnetA \ --network MY_NETWORK_NAME \ --action allow \ --direction ingress \ --rules tcp:80 \ --source-ranges 10.240.12.0/24 \ --priority 50 \ --target-tags WEB
Firewall Rules - Examples - VM to VM Across REGIONS
Say you have two VPCs - one in Europe and one in North America - both belonging to the same GCP Project. VM in Region 1 (USA) to VM in region 2 (
gcloud compute firewall-rules create allow-ssh-europe --network europe --allow tcp:22 --source-ranges 0.0.0.0/0
gcloud compute firewall-rules create allow-europe-usa --network europe --allow tcp:3306,icmp --source-ranges 10.8.0.0/24
gcloud compute firewall-rules create allow-usa-europe --network usa --allow tcp:3306,icmp --source-ranges 10.0.0.0/24
Firewall Logging
Quick way to validate if your GCP firewall rules are working correctly.
Logs need to be enabled for new and existing rules
Logs are injected into stackdriver and can be exported out using a Pub Sub and BigQuery pipeline.
Need an experienced AWS/GCP/Azure Professional to help out with your Public Cloud Strategy? Set up a time with Anuj Varma.
Leave a Reply