Bird
Raised Fist0
GCPcloud~10 mins

Firewall rules concept in GCP - Interactive Code Practice

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Practice - 5 Tasks
Answer the questions below
1fill in blank
easy

Complete the code to specify the direction of the firewall rule.

GCP
resource "google_compute_firewall" "default" {
  name    = "allow-internal"
  network = "default"
  direction = "[1]"
}
Drag options to blanks, or click blank then click option'
AOUTBOUND
BEGRESS
CINBOUND
DINGRESS
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'INBOUND' or 'OUTBOUND' which are not valid values in GCP firewall rules.
2fill in blank
medium

Complete the code to allow TCP traffic on port 80.

GCP
resource "google_compute_firewall" "http" {
  name    = "allow-http"
  network = "default"
  allow {
    protocol = "[1]"
    ports    = ["80"]
  }
}
Drag options to blanks, or click blank then click option'
Ahttp
Budp
Ctcp
Dicmp
Attempts:
3 left
💡 Hint
Common Mistakes
Using 'http' as a protocol which is not valid in firewall rules.
3fill in blank
hard

Fix the error in the source range specification to allow traffic from any IP.

GCP
resource "google_compute_firewall" "allow-all" {
  name    = "allow-all"
  network = "default"
  allow {
    protocol = "tcp"
    ports    = ["0-65535"]
  }
  source_ranges = ["[1]"]
}
Drag options to blanks, or click blank then click option'
Aany
B0.0.0.0/0
C0.0.0.0
D255.255.255.255/32
Attempts:
3 left
💡 Hint
Common Mistakes
Using '0.0.0.0' without CIDR suffix which is invalid.
Using 'any' which is not accepted.
4fill in blank
hard

Fill both blanks to create a firewall rule that denies all egress UDP traffic.

GCP
resource "google_compute_firewall" "deny-udp-egress" {
  name    = "deny-udp-egress"
  network = "default"
  direction = "[1]"
  deny {
    protocol = "[2]"
  }
}
Drag options to blanks, or click blank then click option'
AEGRESS
BINGRESS
Cudp
Dtcp
Attempts:
3 left
💡 Hint
Common Mistakes
Confusing INGRESS and EGRESS directions.
Using TCP instead of UDP.
5fill in blank
hard

Fill all three blanks to create a firewall rule allowing SSH from a specific IP range.

GCP
resource "google_compute_firewall" "allow-ssh" {
  name    = "allow-ssh"
  network = "default"
  direction = "[1]"
  allow {
    protocol = "[2]"
    ports    = ["[3]"]
  }
  source_ranges = ["192.168.1.0/24"]
}
Drag options to blanks, or click blank then click option'
AINGRESS
Btcp
C22
DEGRESS
Attempts:
3 left
💡 Hint
Common Mistakes
Setting direction to EGRESS instead of INGRESS.
Using wrong protocol or port.

Practice

(1/5)
1. What is the main purpose of a firewall rule in Google Cloud Platform?
easy
A. To control network traffic by allowing or blocking it based on defined conditions
B. To store data securely in the cloud
C. To monitor user activity logs
D. To automatically backup virtual machines

Solution

  1. Step 1: Understand what firewall rules do

    Firewall rules are designed to control network traffic by specifying which traffic is allowed or denied.

  2. Step 2: Identify the correct function in GCP context

    In GCP, firewall rules specifically allow or block traffic based on protocols, ports, and IP ranges.

  3. Final Answer:

    To control network traffic by allowing or blocking it based on defined conditions -> Option A

  4. Quick Check:

    Firewall rules control traffic = B [OK]
Hint: Firewall rules manage traffic access, not data or backups [OK]
Common Mistakes:
  • Confusing firewall rules with data storage
  • Thinking firewall rules monitor logs
  • Assuming firewall rules handle backups
2. Which of the following is the correct way to specify a firewall rule to allow TCP traffic on port 80 from any IP address in GCP?
easy
A. protocol: 'tcp', ports: ['80'], sourceRanges: ['0.0.0.0/0']
B. protocol: 'udp', ports: ['80'], sourceRanges: ['0.0.0.0/0']
C. protocol: 'tcp', ports: ['22'], sourceRanges: ['0.0.0.0/0']
D. protocol: 'icmp', ports: ['80'], sourceRanges: ['0.0.0.0/0']

Solution

  1. Step 1: Identify the protocol and port for HTTP traffic

    HTTP uses TCP protocol on port 80.

  2. Step 2: Check the source IP range

    '0.0.0.0/0' means any IP address, which matches the requirement.

  3. Final Answer:

    protocol: 'tcp', ports: ['80'], sourceRanges: ['0.0.0.0/0'] -> Option A

  4. Quick Check:

    TCP port 80 from any IP = A [OK]
Hint: HTTP uses TCP port 80; source 0.0.0.0/0 means all IPs [OK]
Common Mistakes:
  • Using UDP instead of TCP for HTTP
  • Specifying wrong port like 22
  • Using ICMP protocol for port-based rules
3. Given this firewall rule in GCP:
{"direction": "INGRESS", "allowed": [{"IPProtocol": "tcp", "ports": ["22"]}], "sourceRanges": ["192.168.1.0/24"]}

Which traffic will be allowed?
medium
A. UDP traffic on port 22 from IP 192.168.1.15
B. TCP traffic on port 22 from IP 192.168.1.15
C. TCP traffic on port 80 from IP 192.168.1.15
D. TCP traffic on port 22 from IP 10.0.0.5

Solution

  1. Step 1: Analyze the allowed protocol and port

    The rule allows TCP protocol on port 22 only.

  2. Step 2: Check the source IP range

    Only IPs in 192.168.1.0/24 are allowed, so 192.168.1.15 is included, but 10.0.0.5 is not.

  3. Final Answer:

    TCP traffic on port 22 from IP 192.168.1.15 -> Option B

  4. Quick Check:

    TCP port 22 from 192.168.1.x allowed = C [OK]
Hint: Match protocol, port, and source IP range exactly [OK]
Common Mistakes:
  • Allowing wrong port like 80
  • Allowing UDP instead of TCP
  • Ignoring source IP range restrictions
4. You created a firewall rule to allow TCP traffic on port 443 from IP range 10.0.0.0/16, but your VM instances cannot receive HTTPS traffic. What is the most likely mistake?
medium
A. The protocol should be UDP instead of TCP
B. The port number should be 80 instead of 443
C. The sourceRanges should be 0.0.0.0/0 to allow all traffic
D. The firewall rule direction is set to EGRESS instead of INGRESS

Solution

  1. Step 1: Understand traffic direction for incoming HTTPS

    HTTPS traffic comes into the VM, so firewall rule must be INGRESS.

  2. Step 2: Check the rule direction

    If the rule is EGRESS, it controls outgoing traffic, so incoming HTTPS is blocked.

  3. Final Answer:

    The firewall rule direction is set to EGRESS instead of INGRESS -> Option D

  4. Quick Check:

    Ingress needed for incoming traffic = D [OK]
Hint: Ingress rules allow incoming traffic; check direction [OK]
Common Mistakes:
  • Confusing ingress and egress directions
  • Changing port from 443 to 80 incorrectly
  • Opening sourceRanges too wide unnecessarily
5. You want to create a firewall rule that allows SSH (TCP port 22) access only from your office IP 203.0.113.5 and blocks all other SSH traffic. Which configuration achieves this securely?
hard
A. Allow TCP port 22 from 203.0.113.5 and deny TCP port 22 from 0.0.0.0/0
B. Allow TCP port 22 from 0.0.0.0/0 and deny TCP port 22 from 203.0.113.5
C. Allow TCP port 22 from 203.0.113.5 only, no other rules needed
D. Deny all TCP traffic and allow UDP port 22 from 203.0.113.5

Solution

  1. Step 1: Understand default firewall behavior

    By default, GCP denies all traffic unless explicitly allowed.

  2. Step 2: Allow only SSH from office IP

    Allowing TCP port 22 from 203.0.113.5 only permits SSH from that IP; no deny rule needed.

  3. Step 3: Avoid conflicting rules

    Adding deny rules can cause conflicts; simplest is to allow only the trusted IP.

  4. Final Answer:

    Allow TCP port 22 from 203.0.113.5 only, no other rules needed -> Option C

  5. Quick Check:

    Allow trusted IP only; default deny others = A [OK]
Hint: Allow trusted IP only; default deny blocks others [OK]
Common Mistakes:
  • Adding unnecessary deny rules causing conflicts
  • Allowing all IPs then trying to deny one
  • Using wrong protocol or port