Bird
Raised Fist0
GCPcloud~3 mins

Why Firewall rules concept in GCP? - Purpose & Use Cases

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
The Big Idea

What if your network could protect itself without you lifting a finger?

The Scenario

Imagine you have a small office network and you want to control who can enter or leave through the doors. Without clear rules, anyone might walk in or out freely, causing confusion and risk.

The Problem

Manually checking and opening or closing each door every time someone needs access is slow and tiring. It's easy to forget who should be allowed, leading to mistakes or security holes.

The Solution

Firewall rules act like smart guards at each door, automatically allowing or blocking traffic based on clear instructions. This keeps your network safe and running smoothly without constant manual work.

Before vs After
Before
Check each IP and port manually every time someone connects
After
Create firewall rules that automatically allow or block traffic based on IP and port
What It Enables

Firewall rules let you protect your network easily and automatically, so only the right people and services can connect.

Real Life Example

A company uses firewall rules to let employees access internal apps but blocks all outside traffic except from trusted partners, keeping data safe.

Key Takeaways

Manual network control is slow and error-prone.

Firewall rules automate access control to improve security.

This helps keep networks safe and efficient without constant manual effort.

Practice

(1/5)
1. What is the main purpose of a firewall rule in Google Cloud Platform?
easy
A. To control network traffic by allowing or blocking it based on defined conditions
B. To store data securely in the cloud
C. To monitor user activity logs
D. To automatically backup virtual machines

Solution

  1. Step 1: Understand what firewall rules do

    Firewall rules are designed to control network traffic by specifying which traffic is allowed or denied.

  2. Step 2: Identify the correct function in GCP context

    In GCP, firewall rules specifically allow or block traffic based on protocols, ports, and IP ranges.

  3. Final Answer:

    To control network traffic by allowing or blocking it based on defined conditions -> Option A

  4. Quick Check:

    Firewall rules control traffic = B [OK]
Hint: Firewall rules manage traffic access, not data or backups [OK]
Common Mistakes:
  • Confusing firewall rules with data storage
  • Thinking firewall rules monitor logs
  • Assuming firewall rules handle backups
2. Which of the following is the correct way to specify a firewall rule to allow TCP traffic on port 80 from any IP address in GCP?
easy
A. protocol: 'tcp', ports: ['80'], sourceRanges: ['0.0.0.0/0']
B. protocol: 'udp', ports: ['80'], sourceRanges: ['0.0.0.0/0']
C. protocol: 'tcp', ports: ['22'], sourceRanges: ['0.0.0.0/0']
D. protocol: 'icmp', ports: ['80'], sourceRanges: ['0.0.0.0/0']

Solution

  1. Step 1: Identify the protocol and port for HTTP traffic

    HTTP uses TCP protocol on port 80.

  2. Step 2: Check the source IP range

    '0.0.0.0/0' means any IP address, which matches the requirement.

  3. Final Answer:

    protocol: 'tcp', ports: ['80'], sourceRanges: ['0.0.0.0/0'] -> Option A

  4. Quick Check:

    TCP port 80 from any IP = A [OK]
Hint: HTTP uses TCP port 80; source 0.0.0.0/0 means all IPs [OK]
Common Mistakes:
  • Using UDP instead of TCP for HTTP
  • Specifying wrong port like 22
  • Using ICMP protocol for port-based rules
3. Given this firewall rule in GCP:
{"direction": "INGRESS", "allowed": [{"IPProtocol": "tcp", "ports": ["22"]}], "sourceRanges": ["192.168.1.0/24"]}

Which traffic will be allowed?
medium
A. UDP traffic on port 22 from IP 192.168.1.15
B. TCP traffic on port 22 from IP 192.168.1.15
C. TCP traffic on port 80 from IP 192.168.1.15
D. TCP traffic on port 22 from IP 10.0.0.5

Solution

  1. Step 1: Analyze the allowed protocol and port

    The rule allows TCP protocol on port 22 only.

  2. Step 2: Check the source IP range

    Only IPs in 192.168.1.0/24 are allowed, so 192.168.1.15 is included, but 10.0.0.5 is not.

  3. Final Answer:

    TCP traffic on port 22 from IP 192.168.1.15 -> Option B

  4. Quick Check:

    TCP port 22 from 192.168.1.x allowed = C [OK]
Hint: Match protocol, port, and source IP range exactly [OK]
Common Mistakes:
  • Allowing wrong port like 80
  • Allowing UDP instead of TCP
  • Ignoring source IP range restrictions
4. You created a firewall rule to allow TCP traffic on port 443 from IP range 10.0.0.0/16, but your VM instances cannot receive HTTPS traffic. What is the most likely mistake?
medium
A. The protocol should be UDP instead of TCP
B. The port number should be 80 instead of 443
C. The sourceRanges should be 0.0.0.0/0 to allow all traffic
D. The firewall rule direction is set to EGRESS instead of INGRESS

Solution

  1. Step 1: Understand traffic direction for incoming HTTPS

    HTTPS traffic comes into the VM, so firewall rule must be INGRESS.

  2. Step 2: Check the rule direction

    If the rule is EGRESS, it controls outgoing traffic, so incoming HTTPS is blocked.

  3. Final Answer:

    The firewall rule direction is set to EGRESS instead of INGRESS -> Option D

  4. Quick Check:

    Ingress needed for incoming traffic = D [OK]
Hint: Ingress rules allow incoming traffic; check direction [OK]
Common Mistakes:
  • Confusing ingress and egress directions
  • Changing port from 443 to 80 incorrectly
  • Opening sourceRanges too wide unnecessarily
5. You want to create a firewall rule that allows SSH (TCP port 22) access only from your office IP 203.0.113.5 and blocks all other SSH traffic. Which configuration achieves this securely?
hard
A. Allow TCP port 22 from 203.0.113.5 and deny TCP port 22 from 0.0.0.0/0
B. Allow TCP port 22 from 0.0.0.0/0 and deny TCP port 22 from 203.0.113.5
C. Allow TCP port 22 from 203.0.113.5 only, no other rules needed
D. Deny all TCP traffic and allow UDP port 22 from 203.0.113.5

Solution

  1. Step 1: Understand default firewall behavior

    By default, GCP denies all traffic unless explicitly allowed.

  2. Step 2: Allow only SSH from office IP

    Allowing TCP port 22 from 203.0.113.5 only permits SSH from that IP; no deny rule needed.

  3. Step 3: Avoid conflicting rules

    Adding deny rules can cause conflicts; simplest is to allow only the trusted IP.

  4. Final Answer:

    Allow TCP port 22 from 203.0.113.5 only, no other rules needed -> Option C

  5. Quick Check:

    Allow trusted IP only; default deny others = A [OK]
Hint: Allow trusted IP only; default deny blocks others [OK]
Common Mistakes:
  • Adding unnecessary deny rules causing conflicts
  • Allowing all IPs then trying to deny one
  • Using wrong protocol or port