Bird
Raised Fist0
GCPcloud~5 mins

Firewall rules concept in GCP - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is a firewall rule in Google Cloud Platform?
A firewall rule in GCP controls the traffic allowed to and from virtual machine instances by specifying which connections are permitted or denied based on IP addresses, ports, and protocols.
Click to reveal answer
beginner
What are the main components of a GCP firewall rule?
The main components are: direction (ingress or egress), priority (order of evaluation), action (allow or deny), targets (which instances the rule applies to), source or destination IP ranges, protocols, and ports.
Click to reveal answer
intermediate
How does priority affect firewall rules in GCP?
Priority is a number where lower values have higher priority. GCP evaluates rules from lowest to highest priority and applies the first matching rule to the traffic.
Click to reveal answer
beginner
What is the difference between ingress and egress firewall rules?
Ingress rules control incoming traffic to instances, while egress rules control outgoing traffic from instances.
Click to reveal answer
intermediate
Why is it important to specify targets in firewall rules?
Specifying targets ensures that the firewall rule applies only to certain VM instances or groups, helping to limit exposure and improve security.
Click to reveal answer
In GCP firewall rules, what does a lower priority number mean?
AOnly applies to egress rules
BLower priority, evaluated last
CNo effect on evaluation order
DHigher priority, evaluated first
Which direction does an ingress firewall rule control?
AOutgoing traffic from VM instances
BIncoming traffic to VM instances
CTraffic between VPC networks
DTraffic to Google APIs only
What action can a firewall rule perform in GCP?
ARedirect traffic
BOnly allow traffic
CAllow or deny traffic
DOnly deny traffic
Why should you specify IP ranges in a firewall rule?
ATo define which traffic sources or destinations are affected
BTo speed up network traffic
CTo encrypt data in transit
DTo assign IP addresses to VMs
What happens if no firewall rule matches the ingress traffic in GCP?
ATraffic is denied by default
BTraffic is allowed by default
CTraffic is logged but allowed
DTraffic is redirected to a default route
Explain how firewall rules control traffic in Google Cloud Platform.
Think about how rules decide which traffic is allowed or blocked.
You got /6 concepts.
    Describe the importance of priority and targets in GCP firewall rules.
    Consider how rules are applied and to which resources.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the main purpose of a firewall rule in Google Cloud Platform?
      easy
      A. To control network traffic by allowing or blocking it based on defined conditions
      B. To store data securely in the cloud
      C. To monitor user activity logs
      D. To automatically backup virtual machines

      Solution

      1. Step 1: Understand what firewall rules do

        Firewall rules are designed to control network traffic by specifying which traffic is allowed or denied.

      2. Step 2: Identify the correct function in GCP context

        In GCP, firewall rules specifically allow or block traffic based on protocols, ports, and IP ranges.

      3. Final Answer:

        To control network traffic by allowing or blocking it based on defined conditions -> Option A

      4. Quick Check:

        Firewall rules control traffic = B [OK]
      Hint: Firewall rules manage traffic access, not data or backups [OK]
      Common Mistakes:
      • Confusing firewall rules with data storage
      • Thinking firewall rules monitor logs
      • Assuming firewall rules handle backups
      2. Which of the following is the correct way to specify a firewall rule to allow TCP traffic on port 80 from any IP address in GCP?
      easy
      A. protocol: 'tcp', ports: ['80'], sourceRanges: ['0.0.0.0/0']
      B. protocol: 'udp', ports: ['80'], sourceRanges: ['0.0.0.0/0']
      C. protocol: 'tcp', ports: ['22'], sourceRanges: ['0.0.0.0/0']
      D. protocol: 'icmp', ports: ['80'], sourceRanges: ['0.0.0.0/0']

      Solution

      1. Step 1: Identify the protocol and port for HTTP traffic

        HTTP uses TCP protocol on port 80.

      2. Step 2: Check the source IP range

        '0.0.0.0/0' means any IP address, which matches the requirement.

      3. Final Answer:

        protocol: 'tcp', ports: ['80'], sourceRanges: ['0.0.0.0/0'] -> Option A

      4. Quick Check:

        TCP port 80 from any IP = A [OK]
      Hint: HTTP uses TCP port 80; source 0.0.0.0/0 means all IPs [OK]
      Common Mistakes:
      • Using UDP instead of TCP for HTTP
      • Specifying wrong port like 22
      • Using ICMP protocol for port-based rules
      3. Given this firewall rule in GCP:
      {"direction": "INGRESS", "allowed": [{"IPProtocol": "tcp", "ports": ["22"]}], "sourceRanges": ["192.168.1.0/24"]}

      Which traffic will be allowed?
      medium
      A. UDP traffic on port 22 from IP 192.168.1.15
      B. TCP traffic on port 22 from IP 192.168.1.15
      C. TCP traffic on port 80 from IP 192.168.1.15
      D. TCP traffic on port 22 from IP 10.0.0.5

      Solution

      1. Step 1: Analyze the allowed protocol and port

        The rule allows TCP protocol on port 22 only.

      2. Step 2: Check the source IP range

        Only IPs in 192.168.1.0/24 are allowed, so 192.168.1.15 is included, but 10.0.0.5 is not.

      3. Final Answer:

        TCP traffic on port 22 from IP 192.168.1.15 -> Option B

      4. Quick Check:

        TCP port 22 from 192.168.1.x allowed = C [OK]
      Hint: Match protocol, port, and source IP range exactly [OK]
      Common Mistakes:
      • Allowing wrong port like 80
      • Allowing UDP instead of TCP
      • Ignoring source IP range restrictions
      4. You created a firewall rule to allow TCP traffic on port 443 from IP range 10.0.0.0/16, but your VM instances cannot receive HTTPS traffic. What is the most likely mistake?
      medium
      A. The protocol should be UDP instead of TCP
      B. The port number should be 80 instead of 443
      C. The sourceRanges should be 0.0.0.0/0 to allow all traffic
      D. The firewall rule direction is set to EGRESS instead of INGRESS

      Solution

      1. Step 1: Understand traffic direction for incoming HTTPS

        HTTPS traffic comes into the VM, so firewall rule must be INGRESS.

      2. Step 2: Check the rule direction

        If the rule is EGRESS, it controls outgoing traffic, so incoming HTTPS is blocked.

      3. Final Answer:

        The firewall rule direction is set to EGRESS instead of INGRESS -> Option D

      4. Quick Check:

        Ingress needed for incoming traffic = D [OK]
      Hint: Ingress rules allow incoming traffic; check direction [OK]
      Common Mistakes:
      • Confusing ingress and egress directions
      • Changing port from 443 to 80 incorrectly
      • Opening sourceRanges too wide unnecessarily
      5. You want to create a firewall rule that allows SSH (TCP port 22) access only from your office IP 203.0.113.5 and blocks all other SSH traffic. Which configuration achieves this securely?
      hard
      A. Allow TCP port 22 from 203.0.113.5 and deny TCP port 22 from 0.0.0.0/0
      B. Allow TCP port 22 from 0.0.0.0/0 and deny TCP port 22 from 203.0.113.5
      C. Allow TCP port 22 from 203.0.113.5 only, no other rules needed
      D. Deny all TCP traffic and allow UDP port 22 from 203.0.113.5

      Solution

      1. Step 1: Understand default firewall behavior

        By default, GCP denies all traffic unless explicitly allowed.

      2. Step 2: Allow only SSH from office IP

        Allowing TCP port 22 from 203.0.113.5 only permits SSH from that IP; no deny rule needed.

      3. Step 3: Avoid conflicting rules

        Adding deny rules can cause conflicts; simplest is to allow only the trusted IP.

      4. Final Answer:

        Allow TCP port 22 from 203.0.113.5 only, no other rules needed -> Option C

      5. Quick Check:

        Allow trusted IP only; default deny others = A [OK]
      Hint: Allow trusted IP only; default deny blocks others [OK]
      Common Mistakes:
      • Adding unnecessary deny rules causing conflicts
      • Allowing all IPs then trying to deny one
      • Using wrong protocol or port