Bird
Raised Fist0
GCPcloud~5 mins

Firewall rule components (target, source, protocol) in GCP - Commands & Configuration

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction
Firewall rules control network traffic to and from your cloud resources. They use targets, sources, and protocols to decide what traffic is allowed or blocked.
When you want to allow web traffic only from specific IP addresses to your virtual machines.
When you need to block all incoming traffic except from your office network.
When you want to allow only SSH connections to your servers from trusted sources.
When you want to restrict traffic to a specific protocol like TCP or UDP.
When you want to apply rules only to certain virtual machine instances.
Config File - firewall-rule.yaml
firewall-rule.yaml
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeFirewall
metadata:
  name: allow-ssh-from-office
spec:
  networkRef:
    name: default
  direction: INGRESS
  priority: 1000
  targetTags:
  - ssh-allowed
  sourceRanges:
  - 203.0.113.0/24
  allowed:
  - IPProtocol: tcp
    ports:
    - "22"

This YAML file defines a firewall rule in GCP.

  • networkRef: Specifies the network where the rule applies.
  • direction: INGRESS means incoming traffic.
  • priority: Determines rule order; lower number means higher priority.
  • targetTags: Applies the rule only to VMs with this tag.
  • sourceRanges: Allows traffic only from this IP range.
  • allowed: Specifies allowed protocols and ports, here TCP port 22 for SSH.
Commands
This command creates a firewall rule named 'allow-ssh-from-office' that allows incoming TCP traffic on port 22 (SSH) only from the IP range 203.0.113.0/24 to virtual machines tagged with 'ssh-allowed'.
Terminal
gcloud compute firewall-rules create allow-ssh-from-office --network=default --direction=INGRESS --priority=1000 --target-tags=ssh-allowed --source-ranges=203.0.113.0/24 --allow=tcp:22
Expected OutputExpected
Creating firewall rule...\nCreated [https://www.googleapis.com/compute/v1/projects/my-project/global/firewalls/allow-ssh-from-office].
--network - Specifies the network where the rule applies.
--source-ranges - Defines the allowed source IP address range.
--target-tags - Applies the rule only to VMs with this tag.
This command lists the firewall rule to verify it was created correctly.
Terminal
gcloud compute firewall-rules list --filter=name=allow-ssh-from-office
Expected OutputExpected
NAME NETWORK DIRECTION PRIORITY ALLOW DENY DISABLED\nallow-ssh-from-office default INGRESS 1000 tcp:22 False
--filter - Filters the list to show only the rule with the specified name.
This command adds the 'ssh-allowed' tag to the VM named 'my-vm' so the firewall rule applies to it.
Terminal
gcloud compute instances add-tags my-vm --tags=ssh-allowed
Expected OutputExpected
Updated [https://www.googleapis.com/compute/v1/projects/my-project/zones/us-central1-a/instances/my-vm].
--tags - Specifies the tags to add to the VM.
This command shows detailed information about the firewall rule, including targets, sources, and protocols.
Terminal
gcloud compute firewall-rules describe allow-ssh-from-office
Expected OutputExpected
allowed: - IPProtocol: tcp ports: - '22' creationTimestamp: '2024-06-01T12:00:00.000-07:00' direction: INGRESS name: allow-ssh-from-office network: https://www.googleapis.com/compute/v1/projects/my-project/global/networks/default priority: 1000 sourceRanges: - 203.0.113.0/24 targetTags: - ssh-allowed
Key Concept

If you remember nothing else from this pattern, remember: firewall rules use targets to specify which machines they affect, sources to specify where traffic comes from, and protocols to specify what kind of traffic is allowed or blocked.

Common Mistakes
Not adding the correct target tags to the virtual machines.
The firewall rule won't apply to any VM if the target tags don't match, so traffic will be blocked or allowed incorrectly.
Always add the exact target tags specified in the firewall rule to the VMs you want the rule to affect.
Using the wrong source IP range or forgetting to specify it.
Traffic from unexpected sources may be allowed or blocked, causing security risks or connectivity issues.
Specify accurate source IP ranges that match the trusted networks or addresses.
Allowing all protocols or ports unintentionally.
This can expose your resources to unnecessary risks by opening more access than needed.
Specify only the required protocols and ports in the firewall rule.
Summary
Create firewall rules with specific targets, sources, and protocols to control traffic.
Use gcloud commands to create, list, describe firewall rules and manage VM tags.
Verify rules apply correctly by matching VM tags and source IP ranges.

Practice

(1/5)
1. What does the source component specify in a GCP firewall rule?
easy
A. The type of communication protocol allowed
B. The machines that the rule applies to
C. The IP addresses or ranges where traffic originates
D. The priority of the firewall rule

Solution

  1. Step 1: Understand the role of source in firewall rules

    The source defines where the incoming traffic comes from, such as specific IP addresses or ranges.

  2. Step 2: Differentiate source from target and protocol

    The target specifies which machines are affected, and protocol defines the communication type, so source is about origin.

  3. Final Answer:

    The IP addresses or ranges where traffic originates -> Option C

  4. Quick Check:

    Source = traffic origin [OK]
Hint: Source means where traffic comes from [OK]
Common Mistakes:
  • Confusing source with target machines
  • Mixing source with protocol type
  • Thinking source is about rule priority
2. Which of the following is the correct way to specify a protocol in a GCP firewall rule?
easy
A. "tcp"
B. tcp
C. protocol: tcp
D. "protocol:tcp"

Solution

  1. Step 1: Review GCP firewall rule syntax for protocol

    Protocols are specified as strings, so they must be enclosed in quotes like "tcp" or "udp".

  2. Step 2: Identify correct syntax among options

    "tcp" uses quotes correctly. tcp lacks quotes, protocol: tcp and "protocol:tcp" include extra text or wrong format.

  3. Final Answer:

    "tcp" -> Option A

  4. Quick Check:

    Protocol strings need quotes [OK]
Hint: Protocol names must be in quotes [OK]
Common Mistakes:
  • Omitting quotes around protocol
  • Adding extra text inside protocol string
  • Using incorrect syntax like key:value inside quotes
3. Given this firewall rule snippet:
{"sourceRanges": ["192.168.1.0/24"], "targetTags": ["web-server"], "allowed": [{"IPProtocol": "tcp", "ports": ["80"]}]}

Which machines will this rule apply to?
medium
A. Machines tagged with "web-server"
B. All machines in the network
C. Machines with IP in 192.168.1.0/24
D. Machines allowing TCP on port 80

Solution

  1. Step 1: Identify the target component in the rule

    The rule uses "targetTags": ["web-server"], meaning it applies only to machines tagged "web-server".

  2. Step 2: Understand sourceRanges and allowed fields

    SourceRanges limits traffic origin; allowed defines protocol and ports. TargetTags define which machines are affected.

  3. Final Answer:

    Machines tagged with "web-server" -> Option A

  4. Quick Check:

    TargetTags = affected machines [OK]
Hint: TargetTags specify affected machines [OK]
Common Mistakes:
  • Confusing sourceRanges with target machines
  • Thinking sourceRanges limits target machines
  • Assuming all machines are affected
4. You wrote this firewall rule:
{"sourceRanges": ["10.0.0.0/16"], "targetTags": ["db-server"], "allowed": [{"IPProtocol": tcp, "ports": ["5432"]}]}

Why does this rule fail to deploy?
medium
A. Incorrect sourceRanges format
B. Ports must be numbers, not strings
C. targetTags must be IP addresses
D. Missing quotes around protocol name "tcp"

Solution

  1. Step 1: Check the protocol field syntax

    The protocol name "tcp" must be a string enclosed in quotes. Here, tcp is unquoted, causing syntax error.

  2. Step 2: Verify other fields

    sourceRanges format is correct, targetTags accept tags, ports can be strings representing port numbers.

  3. Final Answer:

    Missing quotes around protocol name "tcp" -> Option D

  4. Quick Check:

    Protocol names need quotes [OK]
Hint: Always quote protocol names like "tcp" [OK]
Common Mistakes:
  • Leaving protocol unquoted
  • Confusing tags with IP addresses
  • Using numeric ports without quotes (allowed but inconsistent)
5. You want to allow HTTP traffic only from the IP range 203.0.113.0/24 to all VMs tagged "frontend" using TCP port 80. Which firewall rule configuration is correct?
hard
A. {"sourceRanges": ["203.0.113.0/24"], "targetTags": ["frontend"], "allowed": [{"IPProtocol": "tcp"}]}
B. {"sourceRanges": ["203.0.113.0/24"], "targetTags": ["frontend"], "allowed": [{"IPProtocol": "tcp", "ports": ["80"]}]}
C. {"sourceRanges": ["203.0.113.0/24"], "targetTags": ["backend"], "allowed": [{"IPProtocol": "udp", "ports": ["80"]}]}
D. {"sourceRanges": ["0.0.0.0/0"], "targetTags": ["frontend"], "allowed": [{"IPProtocol": "tcp", "ports": [80]}]}

Solution

  1. Step 1: Match sourceRanges to the required IP range

    The correct sourceRanges ["203.0.113.0/24"] matches the requirement, eliminating configurations using ["0.0.0.0/0"].

  2. Step 2: Check targetTags and allowed protocol/ports

    {"sourceRanges": ["203.0.113.0/24"], "targetTags": ["frontend"], "allowed": [{"IPProtocol": "tcp", "ports": ["80"]}]} targets "frontend" and allows TCP on port "80" as strings, which is correct. {"sourceRanges": ["203.0.113.0/24"], "targetTags": ["frontend"], "allowed": [{"IPProtocol": "tcp"}]} lacks ports, so incomplete.

  3. Step 3: Verify other options

    {"sourceRanges": ["0.0.0.0/0"], "targetTags": ["frontend"], "allowed": [{"IPProtocol": "tcp", "ports": [80]}]} allows all IPs (0.0.0.0/0), not restricted. {"sourceRanges": ["203.0.113.0/24"], "targetTags": ["backend"], "allowed": [{"IPProtocol": "udp", "ports": ["80"]}]} targets "backend" and uses UDP, both incorrect.

  4. Final Answer:

    {"sourceRanges": ["203.0.113.0/24"], "targetTags": ["frontend"], "allowed": [{"IPProtocol": "tcp", "ports": ["80"]}]} -> Option B

  5. Quick Check:

    Correct source, target, protocol, and port [OK]
Hint: Match source, target tag, protocol, and port exactly [OK]
Common Mistakes:
  • Using wrong IP range or all IPs
  • Targeting wrong VM tags
  • Missing ports in allowed protocols
  • Using wrong protocol like UDP for HTTP