Bird
Raised Fist0
GCPcloud~5 mins

Firewall rules concept in GCP - Commands & Configuration

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction
Firewall rules control which network traffic can reach your virtual machines in the cloud. They help protect your resources by allowing or blocking connections based on simple conditions like IP addresses and ports.
When you want to allow web traffic to your app server on port 80 or 443.
When you need to block all incoming traffic except from your office IP address.
When you want to allow SSH access only from specific trusted IPs.
When you want to restrict database access to only your app servers.
When you want to log and monitor suspicious network traffic.
Config File - firewall-rule.yaml
firewall-rule.yaml
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeFirewall
metadata:
  name: allow-http
spec:
  networkRef:
    name: default
  direction: INGRESS
  priority: 1000
  allowed:
  - IPProtocol: tcp
    ports:
    - "80"
  sourceRanges:
  - 0.0.0.0/0
  targetTags:
  - http-server
  description: "Allow incoming HTTP traffic on port 80 from anywhere"

This YAML file defines a firewall rule named allow-http that allows incoming TCP traffic on port 80 (HTTP) from any IP address. It applies to virtual machines tagged with http-server in the default network. The priority sets the rule's evaluation order, and direction: INGRESS means it controls incoming traffic.

Commands
This command creates a firewall rule named 'allow-http' that allows incoming TCP traffic on port 80 from any IP address to instances tagged with 'http-server' in the default network.
Terminal
gcloud compute firewall-rules create allow-http --network default --direction INGRESS --priority 1000 --action ALLOW --rules tcp:80 --source-ranges 0.0.0.0/0 --target-tags http-server --description "Allow incoming HTTP traffic on port 80 from anywhere"
Expected OutputExpected
Creating firewall rule...done.
--network - Specifies the network where the rule applies
--direction - Sets the traffic direction to incoming
--rules - Defines allowed protocols and ports
This command lists the firewall rules filtered by the name 'allow-http' to verify the rule was created successfully.
Terminal
gcloud compute firewall-rules list --filter="name=allow-http"
Expected OutputExpected
NAME NETWORK DIRECTION PRIORITY ALLOW DENY DISABLED allow-http default INGRESS 1000 tcp:80 False
--filter - Filters the list output by rule name
This command shows detailed information about the 'allow-http' firewall rule to confirm its settings.
Terminal
gcloud compute firewall-rules describe allow-http
Expected OutputExpected
name: allow-http network: https://www.googleapis.com/compute/v1/projects/my-project/global/networks/default direction: INGRESS priority: 1000 allowed: - IPProtocol: tcp ports: - '80' sourceRanges: - 0.0.0.0/0 targetTags: - http-server description: Allow incoming HTTP traffic on port 80 from anywhere
Key Concept

If you remember nothing else from this pattern, remember: firewall rules let you control who can talk to your cloud servers by specifying allowed or blocked traffic based on IPs, ports, and protocols.

Common Mistakes
Creating a firewall rule without specifying the correct target tags.
The rule won't apply to any instances if they don't have the matching tags, so traffic won't be allowed or blocked as expected.
Always ensure your instances have the target tags that match the firewall rule's targetTags field.
Using a source range that is too broad or too narrow.
Too broad source ranges can expose your servers to unwanted traffic; too narrow can block legitimate users.
Specify sourceRanges carefully to include only trusted IPs or networks that need access.
Not verifying the firewall rule after creation.
You might think the rule is active, but it could have errors or not be applied correctly.
Use 'gcloud compute firewall-rules list' and 'describe' commands to confirm the rule is created and configured properly.
Summary
Use 'gcloud compute firewall-rules create' to define rules controlling incoming or outgoing traffic.
Verify rules with 'gcloud compute firewall-rules list' and 'describe' to ensure they are active and correct.
Firewall rules use target tags and source ranges to specify which instances and IPs the rules apply to.

Practice

(1/5)
1. What is the main purpose of a firewall rule in Google Cloud Platform?
easy
A. To control network traffic by allowing or blocking it based on defined conditions
B. To store data securely in the cloud
C. To monitor user activity logs
D. To automatically backup virtual machines

Solution

  1. Step 1: Understand what firewall rules do

    Firewall rules are designed to control network traffic by specifying which traffic is allowed or denied.

  2. Step 2: Identify the correct function in GCP context

    In GCP, firewall rules specifically allow or block traffic based on protocols, ports, and IP ranges.

  3. Final Answer:

    To control network traffic by allowing or blocking it based on defined conditions -> Option A

  4. Quick Check:

    Firewall rules control traffic = B [OK]
Hint: Firewall rules manage traffic access, not data or backups [OK]
Common Mistakes:
  • Confusing firewall rules with data storage
  • Thinking firewall rules monitor logs
  • Assuming firewall rules handle backups
2. Which of the following is the correct way to specify a firewall rule to allow TCP traffic on port 80 from any IP address in GCP?
easy
A. protocol: 'tcp', ports: ['80'], sourceRanges: ['0.0.0.0/0']
B. protocol: 'udp', ports: ['80'], sourceRanges: ['0.0.0.0/0']
C. protocol: 'tcp', ports: ['22'], sourceRanges: ['0.0.0.0/0']
D. protocol: 'icmp', ports: ['80'], sourceRanges: ['0.0.0.0/0']

Solution

  1. Step 1: Identify the protocol and port for HTTP traffic

    HTTP uses TCP protocol on port 80.

  2. Step 2: Check the source IP range

    '0.0.0.0/0' means any IP address, which matches the requirement.

  3. Final Answer:

    protocol: 'tcp', ports: ['80'], sourceRanges: ['0.0.0.0/0'] -> Option A

  4. Quick Check:

    TCP port 80 from any IP = A [OK]
Hint: HTTP uses TCP port 80; source 0.0.0.0/0 means all IPs [OK]
Common Mistakes:
  • Using UDP instead of TCP for HTTP
  • Specifying wrong port like 22
  • Using ICMP protocol for port-based rules
3. Given this firewall rule in GCP:
{"direction": "INGRESS", "allowed": [{"IPProtocol": "tcp", "ports": ["22"]}], "sourceRanges": ["192.168.1.0/24"]}

Which traffic will be allowed?
medium
A. UDP traffic on port 22 from IP 192.168.1.15
B. TCP traffic on port 22 from IP 192.168.1.15
C. TCP traffic on port 80 from IP 192.168.1.15
D. TCP traffic on port 22 from IP 10.0.0.5

Solution

  1. Step 1: Analyze the allowed protocol and port

    The rule allows TCP protocol on port 22 only.

  2. Step 2: Check the source IP range

    Only IPs in 192.168.1.0/24 are allowed, so 192.168.1.15 is included, but 10.0.0.5 is not.

  3. Final Answer:

    TCP traffic on port 22 from IP 192.168.1.15 -> Option B

  4. Quick Check:

    TCP port 22 from 192.168.1.x allowed = C [OK]
Hint: Match protocol, port, and source IP range exactly [OK]
Common Mistakes:
  • Allowing wrong port like 80
  • Allowing UDP instead of TCP
  • Ignoring source IP range restrictions
4. You created a firewall rule to allow TCP traffic on port 443 from IP range 10.0.0.0/16, but your VM instances cannot receive HTTPS traffic. What is the most likely mistake?
medium
A. The protocol should be UDP instead of TCP
B. The port number should be 80 instead of 443
C. The sourceRanges should be 0.0.0.0/0 to allow all traffic
D. The firewall rule direction is set to EGRESS instead of INGRESS

Solution

  1. Step 1: Understand traffic direction for incoming HTTPS

    HTTPS traffic comes into the VM, so firewall rule must be INGRESS.

  2. Step 2: Check the rule direction

    If the rule is EGRESS, it controls outgoing traffic, so incoming HTTPS is blocked.

  3. Final Answer:

    The firewall rule direction is set to EGRESS instead of INGRESS -> Option D

  4. Quick Check:

    Ingress needed for incoming traffic = D [OK]
Hint: Ingress rules allow incoming traffic; check direction [OK]
Common Mistakes:
  • Confusing ingress and egress directions
  • Changing port from 443 to 80 incorrectly
  • Opening sourceRanges too wide unnecessarily
5. You want to create a firewall rule that allows SSH (TCP port 22) access only from your office IP 203.0.113.5 and blocks all other SSH traffic. Which configuration achieves this securely?
hard
A. Allow TCP port 22 from 203.0.113.5 and deny TCP port 22 from 0.0.0.0/0
B. Allow TCP port 22 from 0.0.0.0/0 and deny TCP port 22 from 203.0.113.5
C. Allow TCP port 22 from 203.0.113.5 only, no other rules needed
D. Deny all TCP traffic and allow UDP port 22 from 203.0.113.5

Solution

  1. Step 1: Understand default firewall behavior

    By default, GCP denies all traffic unless explicitly allowed.

  2. Step 2: Allow only SSH from office IP

    Allowing TCP port 22 from 203.0.113.5 only permits SSH from that IP; no deny rule needed.

  3. Step 3: Avoid conflicting rules

    Adding deny rules can cause conflicts; simplest is to allow only the trusted IP.

  4. Final Answer:

    Allow TCP port 22 from 203.0.113.5 only, no other rules needed -> Option C

  5. Quick Check:

    Allow trusted IP only; default deny others = A [OK]
Hint: Allow trusted IP only; default deny blocks others [OK]
Common Mistakes:
  • Adding unnecessary deny rules causing conflicts
  • Allowing all IPs then trying to deny one
  • Using wrong protocol or port