Bird
Raised Fist0
GCPcloud~10 mins

Firewall rule components (target, source, protocol) in GCP - Step-by-Step Execution

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Process Flow - Firewall rule components (target, source, protocol)
Start: Define Firewall Rule
Set Target: Which VMs to protect
Set Source: Where traffic comes from
Set Protocol: What traffic type
Apply Rule: Allow or Deny traffic
Traffic checked against rule
Allow or Block traffic based on rule
This flow shows how a firewall rule is created by choosing targets, sources, and protocols, then applied to control traffic.
Execution Sample
GCP
firewall_rule = {
  'target': 'vm-instance-1',
  'source': '0.0.0.0/0',
  'protocol': 'tcp'
}
Defines a firewall rule targeting one VM, allowing TCP traffic from anywhere.
Process Table
StepComponentValue SetEffect on TrafficNotes
1Targetvm-instance-1Rule applies only to this VMLimits scope to one VM
2Source0.0.0.0/0Traffic from any IP allowedOpen to all sources
3ProtocoltcpOnly TCP traffic affectedOther protocols ignored
4Apply RuleAllowTCP traffic from any IP to vm-instance-1 allowedRule active
5Traffic CheckIncoming TCP from 192.168.1.5AllowedMatches source and protocol
6Traffic CheckIncoming UDP from 192.168.1.5BlockedProtocol mismatch
7Traffic CheckIncoming TCP from 10.0.0.1AllowedSource matches 0.0.0.0/0
8Traffic CheckIncoming TCP to vm-instance-2BlockedTarget mismatch
9End--No more traffic to check
💡 All traffic checked against rule; only TCP to vm-instance-1 from any source allowed
Status Tracker
VariableStartAfter Step 1After Step 2After Step 3Final
targetundefinedvm-instance-1vm-instance-1vm-instance-1vm-instance-1
sourceundefinedundefined0.0.0.0/00.0.0.0/00.0.0.0/0
protocolundefinedundefinedundefinedtcptcp
rule_appliedfalsefalsefalsefalsetrue
Key Moments - 3 Insights
Why does traffic to vm-instance-2 get blocked even if protocol and source match?
Because the target is set to vm-instance-1 only, traffic to vm-instance-2 does not match the target and is blocked (see execution_table row 8).
Why is UDP traffic blocked even if source and target match?
The protocol is set to TCP, so UDP traffic does not match the protocol condition and is blocked (see execution_table row 6).
What does source '0.0.0.0/0' mean in the rule?
It means traffic from any IP address is allowed, so source is not restricting traffic (see execution_table row 2).
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table at step 5, what happens to incoming TCP traffic from 192.168.1.5?
AIt is allowed
BIt is blocked due to source mismatch
CIt is blocked due to protocol mismatch
DIt is blocked due to target mismatch
💡 Hint
Check execution_table row 5 for traffic check results
At which step does the protocol get set to TCP?
AStep 1
BStep 3
CStep 2
DStep 4
💡 Hint
Look at execution_table row 3 where protocol is set
If the target was changed to 'vm-instance-2', what would happen to TCP traffic to vm-instance-1?
AIt would be blocked due to source mismatch
BIt would be allowed
CIt would be blocked due to target mismatch
DIt would be blocked due to protocol mismatch
💡 Hint
Refer to execution_table row 8 where target mismatch blocks traffic
Concept Snapshot
Firewall rules control traffic by specifying:
- Target: which VM(s) the rule applies to
- Source: where traffic comes from (IP ranges)
- Protocol: type of traffic (tcp, udp, icmp)
Traffic matching all components is allowed or denied.
Rules are applied in order to control network access.
Full Transcript
A firewall rule in GCP is made by choosing a target VM or group, a source IP range, and a protocol like TCP. The rule then allows or blocks traffic that matches these settings. For example, if the target is vm-instance-1, source is 0.0.0.0/0 (any IP), and protocol is TCP, then only TCP traffic from any IP to vm-instance-1 is allowed. Traffic to other VMs or other protocols is blocked. This step-by-step flow helps understand how each component affects traffic filtering.

Practice

(1/5)
1. What does the source component specify in a GCP firewall rule?
easy
A. The type of communication protocol allowed
B. The machines that the rule applies to
C. The IP addresses or ranges where traffic originates
D. The priority of the firewall rule

Solution

  1. Step 1: Understand the role of source in firewall rules

    The source defines where the incoming traffic comes from, such as specific IP addresses or ranges.

  2. Step 2: Differentiate source from target and protocol

    The target specifies which machines are affected, and protocol defines the communication type, so source is about origin.

  3. Final Answer:

    The IP addresses or ranges where traffic originates -> Option C

  4. Quick Check:

    Source = traffic origin [OK]
Hint: Source means where traffic comes from [OK]
Common Mistakes:
  • Confusing source with target machines
  • Mixing source with protocol type
  • Thinking source is about rule priority
2. Which of the following is the correct way to specify a protocol in a GCP firewall rule?
easy
A. "tcp"
B. tcp
C. protocol: tcp
D. "protocol:tcp"

Solution

  1. Step 1: Review GCP firewall rule syntax for protocol

    Protocols are specified as strings, so they must be enclosed in quotes like "tcp" or "udp".

  2. Step 2: Identify correct syntax among options

    "tcp" uses quotes correctly. tcp lacks quotes, protocol: tcp and "protocol:tcp" include extra text or wrong format.

  3. Final Answer:

    "tcp" -> Option A

  4. Quick Check:

    Protocol strings need quotes [OK]
Hint: Protocol names must be in quotes [OK]
Common Mistakes:
  • Omitting quotes around protocol
  • Adding extra text inside protocol string
  • Using incorrect syntax like key:value inside quotes
3. Given this firewall rule snippet:
{"sourceRanges": ["192.168.1.0/24"], "targetTags": ["web-server"], "allowed": [{"IPProtocol": "tcp", "ports": ["80"]}]}

Which machines will this rule apply to?
medium
A. Machines tagged with "web-server"
B. All machines in the network
C. Machines with IP in 192.168.1.0/24
D. Machines allowing TCP on port 80

Solution

  1. Step 1: Identify the target component in the rule

    The rule uses "targetTags": ["web-server"], meaning it applies only to machines tagged "web-server".

  2. Step 2: Understand sourceRanges and allowed fields

    SourceRanges limits traffic origin; allowed defines protocol and ports. TargetTags define which machines are affected.

  3. Final Answer:

    Machines tagged with "web-server" -> Option A

  4. Quick Check:

    TargetTags = affected machines [OK]
Hint: TargetTags specify affected machines [OK]
Common Mistakes:
  • Confusing sourceRanges with target machines
  • Thinking sourceRanges limits target machines
  • Assuming all machines are affected
4. You wrote this firewall rule:
{"sourceRanges": ["10.0.0.0/16"], "targetTags": ["db-server"], "allowed": [{"IPProtocol": tcp, "ports": ["5432"]}]}

Why does this rule fail to deploy?
medium
A. Incorrect sourceRanges format
B. Ports must be numbers, not strings
C. targetTags must be IP addresses
D. Missing quotes around protocol name "tcp"

Solution

  1. Step 1: Check the protocol field syntax

    The protocol name "tcp" must be a string enclosed in quotes. Here, tcp is unquoted, causing syntax error.

  2. Step 2: Verify other fields

    sourceRanges format is correct, targetTags accept tags, ports can be strings representing port numbers.

  3. Final Answer:

    Missing quotes around protocol name "tcp" -> Option D

  4. Quick Check:

    Protocol names need quotes [OK]
Hint: Always quote protocol names like "tcp" [OK]
Common Mistakes:
  • Leaving protocol unquoted
  • Confusing tags with IP addresses
  • Using numeric ports without quotes (allowed but inconsistent)
5. You want to allow HTTP traffic only from the IP range 203.0.113.0/24 to all VMs tagged "frontend" using TCP port 80. Which firewall rule configuration is correct?
hard
A. {"sourceRanges": ["203.0.113.0/24"], "targetTags": ["frontend"], "allowed": [{"IPProtocol": "tcp"}]}
B. {"sourceRanges": ["203.0.113.0/24"], "targetTags": ["frontend"], "allowed": [{"IPProtocol": "tcp", "ports": ["80"]}]}
C. {"sourceRanges": ["203.0.113.0/24"], "targetTags": ["backend"], "allowed": [{"IPProtocol": "udp", "ports": ["80"]}]}
D. {"sourceRanges": ["0.0.0.0/0"], "targetTags": ["frontend"], "allowed": [{"IPProtocol": "tcp", "ports": [80]}]}

Solution

  1. Step 1: Match sourceRanges to the required IP range

    The correct sourceRanges ["203.0.113.0/24"] matches the requirement, eliminating configurations using ["0.0.0.0/0"].

  2. Step 2: Check targetTags and allowed protocol/ports

    {"sourceRanges": ["203.0.113.0/24"], "targetTags": ["frontend"], "allowed": [{"IPProtocol": "tcp", "ports": ["80"]}]} targets "frontend" and allows TCP on port "80" as strings, which is correct. {"sourceRanges": ["203.0.113.0/24"], "targetTags": ["frontend"], "allowed": [{"IPProtocol": "tcp"}]} lacks ports, so incomplete.

  3. Step 3: Verify other options

    {"sourceRanges": ["0.0.0.0/0"], "targetTags": ["frontend"], "allowed": [{"IPProtocol": "tcp", "ports": [80]}]} allows all IPs (0.0.0.0/0), not restricted. {"sourceRanges": ["203.0.113.0/24"], "targetTags": ["backend"], "allowed": [{"IPProtocol": "udp", "ports": ["80"]}]} targets "backend" and uses UDP, both incorrect.

  4. Final Answer:

    {"sourceRanges": ["203.0.113.0/24"], "targetTags": ["frontend"], "allowed": [{"IPProtocol": "tcp", "ports": ["80"]}]} -> Option B

  5. Quick Check:

    Correct source, target, protocol, and port [OK]
Hint: Match source, target tag, protocol, and port exactly [OK]
Common Mistakes:
  • Using wrong IP range or all IPs
  • Targeting wrong VM tags
  • Missing ports in allowed protocols
  • Using wrong protocol like UDP for HTTP