GCPcloud~5 mins

Firewall rule components (target, source, protocol) in GCP - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Firewall rules control network traffic to and from your cloud resources. They use targets, sources, and protocols to decide what traffic is allowed or blocked.

When you want to allow web traffic only from specific IP addresses to your virtual machines.

When you need to block all incoming traffic except from your office network.

When you want to allow only SSH connections to your servers from trusted sources.

When you want to restrict traffic to a specific protocol like TCP or UDP.

When you want to apply rules only to certain virtual machine instances.

Config File - firewall-rule.yaml

firewall-rule.yaml

apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeFirewall
metadata:
  name: allow-ssh-from-office
spec:
  networkRef:
    name: default
  direction: INGRESS
  priority: 1000
  targetTags:
  - ssh-allowed
  sourceRanges:
  - 203.0.113.0/24
  allowed:
  - IPProtocol: tcp
    ports:
    - "22"

This YAML file defines a firewall rule in GCP.

networkRef: Specifies the network where the rule applies.
direction: INGRESS means incoming traffic.
priority: Determines rule order; lower number means higher priority.
targetTags: Applies the rule only to VMs with this tag.
sourceRanges: Allows traffic only from this IP range.
allowed: Specifies allowed protocols and ports, here TCP port 22 for SSH.

Commands

This command creates a firewall rule named 'allow-ssh-from-office' that allows incoming TCP traffic on port 22 (SSH) only from the IP range 203.0.113.0/24 to virtual machines tagged with 'ssh-allowed'.

Terminal

gcloud compute firewall-rules create allow-ssh-from-office --network=default --direction=INGRESS --priority=1000 --target-tags=ssh-allowed --source-ranges=203.0.113.0/24 --allow=tcp:22

Expected OutputExpected

Creating firewall rule...\nCreated [https://www.googleapis.com/compute/v1/projects/my-project/global/firewalls/allow-ssh-from-office].

→

--network - Specifies the network where the rule applies.

→

--source-ranges - Defines the allowed source IP address range.

→

--target-tags - Applies the rule only to VMs with this tag.

This command lists the firewall rule to verify it was created correctly.

Terminal

gcloud compute firewall-rules list --filter=name=allow-ssh-from-office

Expected OutputExpected

NAME NETWORK DIRECTION PRIORITY ALLOW DENY DISABLED\nallow-ssh-from-office default INGRESS 1000 tcp:22 False

→

--filter - Filters the list to show only the rule with the specified name.

This command adds the 'ssh-allowed' tag to the VM named 'my-vm' so the firewall rule applies to it.

Terminal

gcloud compute instances add-tags my-vm --tags=ssh-allowed

Expected OutputExpected

Updated [https://www.googleapis.com/compute/v1/projects/my-project/zones/us-central1-a/instances/my-vm].

→

--tags - Specifies the tags to add to the VM.

This command shows detailed information about the firewall rule, including targets, sources, and protocols.

Terminal

gcloud compute firewall-rules describe allow-ssh-from-office

Expected OutputExpected

allowed: - IPProtocol: tcp ports: - '22' creationTimestamp: '2024-06-01T12:00:00.000-07:00' direction: INGRESS name: allow-ssh-from-office network: https://www.googleapis.com/compute/v1/projects/my-project/global/networks/default priority: 1000 sourceRanges: - 203.0.113.0/24 targetTags: - ssh-allowed

Key Concept

If you remember nothing else from this pattern, remember: firewall rules use targets to specify which machines they affect, sources to specify where traffic comes from, and protocols to specify what kind of traffic is allowed or blocked.

Common Mistakes

Not adding the correct target tags to the virtual machines.

The firewall rule won't apply to any VM if the target tags don't match, so traffic will be blocked or allowed incorrectly.

Always add the exact target tags specified in the firewall rule to the VMs you want the rule to affect.

Using the wrong source IP range or forgetting to specify it.

Traffic from unexpected sources may be allowed or blocked, causing security risks or connectivity issues.

Specify accurate source IP ranges that match the trusted networks or addresses.

Allowing all protocols or ports unintentionally.

This can expose your resources to unnecessary risks by opening more access than needed.

Specify only the required protocols and ports in the firewall rule.

Summary

Create firewall rules with specific targets, sources, and protocols to control traffic.

Use gcloud commands to create, list, describe firewall rules and manage VM tags.

Verify rules apply correctly by matching VM tags and source IP ranges.