Bird
Raised Fist0
GCPcloud~30 mins

Firewall rules concept in GCP - Mini Project: Build & Apply

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Firewall rules concept
📖 Scenario: You are setting up a simple firewall in Google Cloud Platform (GCP) to control network traffic for a virtual machine (VM).Think of firewall rules like the security gates of a building. You decide who can enter or leave through these gates based on rules.
🎯 Goal: Create a basic firewall rule in GCP that allows incoming traffic on port 80 (HTTP) to your VM.
📋 What You'll Learn
Create a firewall rule resource named allow-http.
Set the network to "default".
Allow incoming TCP traffic on port 80.
Set the direction of traffic to INGRESS.
Allow traffic from any IP address (0.0.0.0/0).
💡 Why This Matters
🌍 Real World
Firewall rules protect cloud resources by controlling what network traffic is allowed in and out, similar to security guards at building entrances.
💼 Career
Understanding firewall rules is essential for cloud engineers and security specialists to secure cloud infrastructure effectively.
Progress0 / 4 steps
1
Create the basic firewall rule resource
Create a firewall rule resource named allow-http in Terraform with the resource block starting with resource "google_compute_firewall" "allow-http".
GCP
Hint

Start by declaring the firewall resource with the exact name allow-http.

2
Add network and direction configuration
Inside the allow-http resource, add the network attribute set to "default" and the direction attribute set to "INGRESS".
GCP
Hint

Set the network to the default network and specify the traffic direction as ingress (incoming).

3
Allow incoming TCP traffic on port 80
Add the allow block inside the allow-http resource to allow TCP traffic on port 80. Use protocol = "tcp" and ports = ["80"].
GCP
Hint

Use the allow block to specify the protocol and port to open.

4
Set source ranges to allow traffic from anywhere
Add the source_ranges attribute inside the allow-http resource and set it to ["0.0.0.0/0"] to allow traffic from any IP address.
GCP
Hint

Use source_ranges to specify the IP addresses allowed to send traffic.

Practice

(1/5)
1. What is the main purpose of a firewall rule in Google Cloud Platform?
easy
A. To control network traffic by allowing or blocking it based on defined conditions
B. To store data securely in the cloud
C. To monitor user activity logs
D. To automatically backup virtual machines

Solution

  1. Step 1: Understand what firewall rules do

    Firewall rules are designed to control network traffic by specifying which traffic is allowed or denied.

  2. Step 2: Identify the correct function in GCP context

    In GCP, firewall rules specifically allow or block traffic based on protocols, ports, and IP ranges.

  3. Final Answer:

    To control network traffic by allowing or blocking it based on defined conditions -> Option A

  4. Quick Check:

    Firewall rules control traffic = B [OK]
Hint: Firewall rules manage traffic access, not data or backups [OK]
Common Mistakes:
  • Confusing firewall rules with data storage
  • Thinking firewall rules monitor logs
  • Assuming firewall rules handle backups
2. Which of the following is the correct way to specify a firewall rule to allow TCP traffic on port 80 from any IP address in GCP?
easy
A. protocol: 'tcp', ports: ['80'], sourceRanges: ['0.0.0.0/0']
B. protocol: 'udp', ports: ['80'], sourceRanges: ['0.0.0.0/0']
C. protocol: 'tcp', ports: ['22'], sourceRanges: ['0.0.0.0/0']
D. protocol: 'icmp', ports: ['80'], sourceRanges: ['0.0.0.0/0']

Solution

  1. Step 1: Identify the protocol and port for HTTP traffic

    HTTP uses TCP protocol on port 80.

  2. Step 2: Check the source IP range

    '0.0.0.0/0' means any IP address, which matches the requirement.

  3. Final Answer:

    protocol: 'tcp', ports: ['80'], sourceRanges: ['0.0.0.0/0'] -> Option A

  4. Quick Check:

    TCP port 80 from any IP = A [OK]
Hint: HTTP uses TCP port 80; source 0.0.0.0/0 means all IPs [OK]
Common Mistakes:
  • Using UDP instead of TCP for HTTP
  • Specifying wrong port like 22
  • Using ICMP protocol for port-based rules
3. Given this firewall rule in GCP:
{"direction": "INGRESS", "allowed": [{"IPProtocol": "tcp", "ports": ["22"]}], "sourceRanges": ["192.168.1.0/24"]}

Which traffic will be allowed?
medium
A. UDP traffic on port 22 from IP 192.168.1.15
B. TCP traffic on port 22 from IP 192.168.1.15
C. TCP traffic on port 80 from IP 192.168.1.15
D. TCP traffic on port 22 from IP 10.0.0.5

Solution

  1. Step 1: Analyze the allowed protocol and port

    The rule allows TCP protocol on port 22 only.

  2. Step 2: Check the source IP range

    Only IPs in 192.168.1.0/24 are allowed, so 192.168.1.15 is included, but 10.0.0.5 is not.

  3. Final Answer:

    TCP traffic on port 22 from IP 192.168.1.15 -> Option B

  4. Quick Check:

    TCP port 22 from 192.168.1.x allowed = C [OK]
Hint: Match protocol, port, and source IP range exactly [OK]
Common Mistakes:
  • Allowing wrong port like 80
  • Allowing UDP instead of TCP
  • Ignoring source IP range restrictions
4. You created a firewall rule to allow TCP traffic on port 443 from IP range 10.0.0.0/16, but your VM instances cannot receive HTTPS traffic. What is the most likely mistake?
medium
A. The protocol should be UDP instead of TCP
B. The port number should be 80 instead of 443
C. The sourceRanges should be 0.0.0.0/0 to allow all traffic
D. The firewall rule direction is set to EGRESS instead of INGRESS

Solution

  1. Step 1: Understand traffic direction for incoming HTTPS

    HTTPS traffic comes into the VM, so firewall rule must be INGRESS.

  2. Step 2: Check the rule direction

    If the rule is EGRESS, it controls outgoing traffic, so incoming HTTPS is blocked.

  3. Final Answer:

    The firewall rule direction is set to EGRESS instead of INGRESS -> Option D

  4. Quick Check:

    Ingress needed for incoming traffic = D [OK]
Hint: Ingress rules allow incoming traffic; check direction [OK]
Common Mistakes:
  • Confusing ingress and egress directions
  • Changing port from 443 to 80 incorrectly
  • Opening sourceRanges too wide unnecessarily
5. You want to create a firewall rule that allows SSH (TCP port 22) access only from your office IP 203.0.113.5 and blocks all other SSH traffic. Which configuration achieves this securely?
hard
A. Allow TCP port 22 from 203.0.113.5 and deny TCP port 22 from 0.0.0.0/0
B. Allow TCP port 22 from 0.0.0.0/0 and deny TCP port 22 from 203.0.113.5
C. Allow TCP port 22 from 203.0.113.5 only, no other rules needed
D. Deny all TCP traffic and allow UDP port 22 from 203.0.113.5

Solution

  1. Step 1: Understand default firewall behavior

    By default, GCP denies all traffic unless explicitly allowed.

  2. Step 2: Allow only SSH from office IP

    Allowing TCP port 22 from 203.0.113.5 only permits SSH from that IP; no deny rule needed.

  3. Step 3: Avoid conflicting rules

    Adding deny rules can cause conflicts; simplest is to allow only the trusted IP.

  4. Final Answer:

    Allow TCP port 22 from 203.0.113.5 only, no other rules needed -> Option C

  5. Quick Check:

    Allow trusted IP only; default deny others = A [OK]
Hint: Allow trusted IP only; default deny blocks others [OK]
Common Mistakes:
  • Adding unnecessary deny rules causing conflicts
  • Allowing all IPs then trying to deny one
  • Using wrong protocol or port