0
0
GCPcloud~5 mins

Firewall rules concept in GCP - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
Firewall rules control which network traffic can reach your virtual machines in the cloud. They help protect your resources by allowing or blocking connections based on simple conditions like IP addresses and ports.
When you want to allow web traffic to your app server on port 80 or 443.
When you need to block all incoming traffic except from your office IP address.
When you want to allow SSH access only from specific trusted IPs.
When you want to restrict database access to only your app servers.
When you want to log and monitor suspicious network traffic.
Config File - firewall-rule.yaml
firewall-rule.yaml
apiVersion: compute.cnrm.cloud.google.com/v1beta1
kind: ComputeFirewall
metadata:
  name: allow-http
spec:
  networkRef:
    name: default
  direction: INGRESS
  priority: 1000
  allowed:
  - IPProtocol: tcp
    ports:
    - "80"
  sourceRanges:
  - 0.0.0.0/0
  targetTags:
  - http-server
  description: "Allow incoming HTTP traffic on port 80 from anywhere"

This YAML file defines a firewall rule named allow-http that allows incoming TCP traffic on port 80 (HTTP) from any IP address. It applies to virtual machines tagged with http-server in the default network. The priority sets the rule's evaluation order, and direction: INGRESS means it controls incoming traffic.

Commands
This command creates a firewall rule named 'allow-http' that allows incoming TCP traffic on port 80 from any IP address to instances tagged with 'http-server' in the default network.
Terminal
gcloud compute firewall-rules create allow-http --network default --direction INGRESS --priority 1000 --action ALLOW --rules tcp:80 --source-ranges 0.0.0.0/0 --target-tags http-server --description "Allow incoming HTTP traffic on port 80 from anywhere"
Expected OutputExpected
Creating firewall rule...done.
--network - Specifies the network where the rule applies
--direction - Sets the traffic direction to incoming
--rules - Defines allowed protocols and ports
This command lists the firewall rules filtered by the name 'allow-http' to verify the rule was created successfully.
Terminal
gcloud compute firewall-rules list --filter="name=allow-http"
Expected OutputExpected
NAME NETWORK DIRECTION PRIORITY ALLOW DENY DISABLED allow-http default INGRESS 1000 tcp:80 False
--filter - Filters the list output by rule name
This command shows detailed information about the 'allow-http' firewall rule to confirm its settings.
Terminal
gcloud compute firewall-rules describe allow-http
Expected OutputExpected
name: allow-http network: https://www.googleapis.com/compute/v1/projects/my-project/global/networks/default direction: INGRESS priority: 1000 allowed: - IPProtocol: tcp ports: - '80' sourceRanges: - 0.0.0.0/0 targetTags: - http-server description: Allow incoming HTTP traffic on port 80 from anywhere
Key Concept

If you remember nothing else from this pattern, remember: firewall rules let you control who can talk to your cloud servers by specifying allowed or blocked traffic based on IPs, ports, and protocols.

Common Mistakes
Creating a firewall rule without specifying the correct target tags.
The rule won't apply to any instances if they don't have the matching tags, so traffic won't be allowed or blocked as expected.
Always ensure your instances have the target tags that match the firewall rule's targetTags field.
Using a source range that is too broad or too narrow.
Too broad source ranges can expose your servers to unwanted traffic; too narrow can block legitimate users.
Specify sourceRanges carefully to include only trusted IPs or networks that need access.
Not verifying the firewall rule after creation.
You might think the rule is active, but it could have errors or not be applied correctly.
Use 'gcloud compute firewall-rules list' and 'describe' commands to confirm the rule is created and configured properly.
Summary
Use 'gcloud compute firewall-rules create' to define rules controlling incoming or outgoing traffic.
Verify rules with 'gcloud compute firewall-rules list' and 'describe' to ensure they are active and correct.
Firewall rules use target tags and source ranges to specify which instances and IPs the rules apply to.