Native GCP Firewall and Firewall Rules

Firewalls in GCP vs AWS

AWS SGs are only ALLOW rules. For DENY, you need to go to NACLs

GCP full blown FW rules -allow and deny, just like on any Firewall Appliance.

With AWS, one has to switch between NACLs and Security Groups to accomplish full ALLOW DENY rules.

Defined at the VPC Level but applied at Subnet and Instance Level ( VPC serves as a distributed firewall)

One of the benefits of Google's SDN is that the rules can be defined at the highest networking element level (the VPC), but applied granularly at lower levels.

A rule is always defined at a VPC level (applied to the network as a whole), but can be applied to traffic between Subnets (subnet level), traffic between instances (instance level) and also PaaS services (these rules are managed within the service - e.g. App Engine).

Basically, connections are ALLOWED or DENIED at the instance level.

Implicit FW on a VM - Egress is allowed and Ingress is DENIED

Firewall Rules are Stateful (Only need to be defined one way)

Firewall Rules via 2 examples - VM to VM Single REGION

DENY all inbound TCP traffic to instances tagged with dbserver

gcloud compute firewall-rules create deny-instances-dbserver-access \
    --network MY_NETWORK_NAME \
    --action deny \
    --direction ingress \
    --rules tcp \
    --source-ranges 0.0.0.0/0 \
    --priority 1000 \
    --target-tags dbserver

ALLOW all IPs in a subnet e.g.subnetA (10.240.12.0/24) to access TCP port 80 on instances tagged with WEB.

gcloud compute firewall-rules create instance-allow-ingress-tcp-port80-from-subnetA \
    --network MY_NETWORK_NAME \
    --action allow \
    --direction ingress \
    --rules tcp:80 \
    --source-ranges 10.240.12.0/24 \
    --priority 50 \
    --target-tags WEB

Firewall Rules - Examples - VM to VM Across REGIONS

Say you have two VPCs - one in Europe and one in North America - both belonging to the same GCP Project. VM in Region 1 (USA) to VM in region 2 (

gcloud compute firewall-rules create allow-ssh-europe --network europe --allow tcp:22 --source-ranges 0.0.0.0/0

gcloud compute firewall-rules create allow-europe-usa --network europe --allow tcp:3306,icmp --source-ranges 10.8.0.0/24

gcloud compute firewall-rules create allow-usa-europe --network usa --allow tcp:3306,icmp --source-ranges 10.0.0.0/24

Firewall Logging

Quick way to validate if your GCP firewall rules are working correctly.

Logs need to be enabled for new and existing rules

Logs are injected into stackdriver and can be exported out using a Pub Sub and BigQuery pipeline.

Need an experienced AWS/GCP/Azure Professional to help out with your Public Cloud Strategy? Set up a time with Anuj Varma.