Bird
Raised Fist0
GCPcloud~10 mins

Firewall rules concept in GCP - Step-by-Step Execution

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Process Flow - Firewall rules concept
Start: Incoming/Outgoing Traffic
Check Firewall Rules List
Match Traffic to Rule?
NoAllow or Deny by Default
Yes
Apply Rule Action (Allow/Deny)
Traffic Allowed or Blocked
Traffic tries to enter or leave a network. Firewall rules are checked one by one. If traffic matches a rule, that rule's action (allow or deny) is applied. If no rule matches, default action applies.
Execution Sample
GCP
1. Traffic arrives
2. Check rule: allow tcp port 80
3. Traffic matches rule?
4. If yes, allow traffic
5. Else, deny traffic
This sequence shows how incoming traffic is checked against firewall rules and allowed or denied.
Process Table
StepTraffic TypeRule CheckedMatch?Action TakenResult
1TCP port 80Allow TCP port 80YesAllowTraffic allowed
2TCP port 22Allow TCP port 80NoCheck next ruleContinue checking
3TCP port 22Deny all other trafficYesDenyTraffic denied
4UDP port 53Allow TCP port 80NoCheck next ruleContinue checking
5UDP port 53Deny all other trafficYesDenyTraffic denied
6ICMPAllow TCP port 80NoCheck next ruleContinue checking
7ICMPDeny all other trafficYesDenyTraffic denied
8TCP port 443Allow TCP port 80NoCheck next ruleContinue checking
9TCP port 443Deny all other trafficYesDenyTraffic denied
10TCP port 80Allow TCP port 80YesAllowTraffic allowed
💡 Traffic is allowed or denied once a matching rule is found; if no match, default deny applies.
Status Tracker
TrafficRule CheckedMatch ResultAction Taken
TCP port 80Allow TCP port 80YesAllow
TCP port 22Allow TCP port 80NoCheck next rule
TCP port 22Deny all other trafficYesDeny
UDP port 53Allow TCP port 80NoCheck next rule
UDP port 53Deny all other trafficYesDeny
ICMPAllow TCP port 80NoCheck next rule
ICMPDeny all other trafficYesDeny
TCP port 443Allow TCP port 80NoCheck next rule
TCP port 443Deny all other trafficYesDeny
TCP port 80Allow TCP port 80YesAllow
Key Moments - 3 Insights
Why does traffic stop checking rules after the first match?
Firewall rules are evaluated in order. Once a rule matches the traffic, its action is applied immediately, and no further rules are checked. See execution_table steps 1 and 3.
What happens if no firewall rule matches the traffic?
If no rule matches, the default action applies, which is usually to deny the traffic. This is shown in execution_table where unmatched traffic hits the deny all other traffic rule.
Can a firewall rule allow some traffic and deny other traffic?
Each rule either allows or denies traffic based on conditions. To allow some and deny others, multiple rules are needed. The execution_table shows separate rules for allowing port 80 and denying others.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what action is taken for TCP port 22 traffic at step 3?
AAllow
BDeny
CCheck next rule
DNo action
💡 Hint
Check the 'Action Taken' column at step 3 in execution_table.
At which step does UDP port 53 traffic get denied?
AStep 4
BStep 6
CStep 5
DStep 7
💡 Hint
Look for UDP port 53 in execution_table and find where 'Deny' is applied.
If the 'Allow TCP port 80' rule was removed, what would happen to TCP port 80 traffic?
AIt would be denied by the deny all other traffic rule
BIt would be allowed by default
CIt would be allowed by another rule
DIt would cause an error
💡 Hint
Refer to variable_tracker and execution_table to see how rules affect traffic.
Concept Snapshot
Firewall rules check network traffic in order.
Each rule matches traffic by protocol, port, or IP.
If traffic matches, rule action (allow or deny) applies immediately.
If no rule matches, default deny usually applies.
Rules are processed top-down, first match wins.
Full Transcript
Firewall rules control network traffic by checking each packet against a list of rules. Traffic arrives and is compared to each rule in order. If the traffic matches a rule's conditions, the rule's action (allow or deny) is applied immediately, and no further rules are checked. If no rules match, the default action is to deny the traffic. This process ensures only authorized traffic passes through the network. The execution table shows examples of traffic types checked against rules and the resulting actions. Key points include that rules are evaluated in order, the first match decides the outcome, and unmatched traffic is denied by default.

Practice

(1/5)
1. What is the main purpose of a firewall rule in Google Cloud Platform?
easy
A. To control network traffic by allowing or blocking it based on defined conditions
B. To store data securely in the cloud
C. To monitor user activity logs
D. To automatically backup virtual machines

Solution

  1. Step 1: Understand what firewall rules do

    Firewall rules are designed to control network traffic by specifying which traffic is allowed or denied.

  2. Step 2: Identify the correct function in GCP context

    In GCP, firewall rules specifically allow or block traffic based on protocols, ports, and IP ranges.

  3. Final Answer:

    To control network traffic by allowing or blocking it based on defined conditions -> Option A

  4. Quick Check:

    Firewall rules control traffic = B [OK]
Hint: Firewall rules manage traffic access, not data or backups [OK]
Common Mistakes:
  • Confusing firewall rules with data storage
  • Thinking firewall rules monitor logs
  • Assuming firewall rules handle backups
2. Which of the following is the correct way to specify a firewall rule to allow TCP traffic on port 80 from any IP address in GCP?
easy
A. protocol: 'tcp', ports: ['80'], sourceRanges: ['0.0.0.0/0']
B. protocol: 'udp', ports: ['80'], sourceRanges: ['0.0.0.0/0']
C. protocol: 'tcp', ports: ['22'], sourceRanges: ['0.0.0.0/0']
D. protocol: 'icmp', ports: ['80'], sourceRanges: ['0.0.0.0/0']

Solution

  1. Step 1: Identify the protocol and port for HTTP traffic

    HTTP uses TCP protocol on port 80.

  2. Step 2: Check the source IP range

    '0.0.0.0/0' means any IP address, which matches the requirement.

  3. Final Answer:

    protocol: 'tcp', ports: ['80'], sourceRanges: ['0.0.0.0/0'] -> Option A

  4. Quick Check:

    TCP port 80 from any IP = A [OK]
Hint: HTTP uses TCP port 80; source 0.0.0.0/0 means all IPs [OK]
Common Mistakes:
  • Using UDP instead of TCP for HTTP
  • Specifying wrong port like 22
  • Using ICMP protocol for port-based rules
3. Given this firewall rule in GCP:
{"direction": "INGRESS", "allowed": [{"IPProtocol": "tcp", "ports": ["22"]}], "sourceRanges": ["192.168.1.0/24"]}

Which traffic will be allowed?
medium
A. UDP traffic on port 22 from IP 192.168.1.15
B. TCP traffic on port 22 from IP 192.168.1.15
C. TCP traffic on port 80 from IP 192.168.1.15
D. TCP traffic on port 22 from IP 10.0.0.5

Solution

  1. Step 1: Analyze the allowed protocol and port

    The rule allows TCP protocol on port 22 only.

  2. Step 2: Check the source IP range

    Only IPs in 192.168.1.0/24 are allowed, so 192.168.1.15 is included, but 10.0.0.5 is not.

  3. Final Answer:

    TCP traffic on port 22 from IP 192.168.1.15 -> Option B

  4. Quick Check:

    TCP port 22 from 192.168.1.x allowed = C [OK]
Hint: Match protocol, port, and source IP range exactly [OK]
Common Mistakes:
  • Allowing wrong port like 80
  • Allowing UDP instead of TCP
  • Ignoring source IP range restrictions
4. You created a firewall rule to allow TCP traffic on port 443 from IP range 10.0.0.0/16, but your VM instances cannot receive HTTPS traffic. What is the most likely mistake?
medium
A. The protocol should be UDP instead of TCP
B. The port number should be 80 instead of 443
C. The sourceRanges should be 0.0.0.0/0 to allow all traffic
D. The firewall rule direction is set to EGRESS instead of INGRESS

Solution

  1. Step 1: Understand traffic direction for incoming HTTPS

    HTTPS traffic comes into the VM, so firewall rule must be INGRESS.

  2. Step 2: Check the rule direction

    If the rule is EGRESS, it controls outgoing traffic, so incoming HTTPS is blocked.

  3. Final Answer:

    The firewall rule direction is set to EGRESS instead of INGRESS -> Option D

  4. Quick Check:

    Ingress needed for incoming traffic = D [OK]
Hint: Ingress rules allow incoming traffic; check direction [OK]
Common Mistakes:
  • Confusing ingress and egress directions
  • Changing port from 443 to 80 incorrectly
  • Opening sourceRanges too wide unnecessarily
5. You want to create a firewall rule that allows SSH (TCP port 22) access only from your office IP 203.0.113.5 and blocks all other SSH traffic. Which configuration achieves this securely?
hard
A. Allow TCP port 22 from 203.0.113.5 and deny TCP port 22 from 0.0.0.0/0
B. Allow TCP port 22 from 0.0.0.0/0 and deny TCP port 22 from 203.0.113.5
C. Allow TCP port 22 from 203.0.113.5 only, no other rules needed
D. Deny all TCP traffic and allow UDP port 22 from 203.0.113.5

Solution

  1. Step 1: Understand default firewall behavior

    By default, GCP denies all traffic unless explicitly allowed.

  2. Step 2: Allow only SSH from office IP

    Allowing TCP port 22 from 203.0.113.5 only permits SSH from that IP; no deny rule needed.

  3. Step 3: Avoid conflicting rules

    Adding deny rules can cause conflicts; simplest is to allow only the trusted IP.

  4. Final Answer:

    Allow TCP port 22 from 203.0.113.5 only, no other rules needed -> Option C

  5. Quick Check:

    Allow trusted IP only; default deny others = A [OK]
Hint: Allow trusted IP only; default deny blocks others [OK]
Common Mistakes:
  • Adding unnecessary deny rules causing conflicts
  • Allowing all IPs then trying to deny one
  • Using wrong protocol or port