logo
home
Category

Type Your Question


How to configure a firewall in Google Cloud Platform?

 Wednesday, 19 March 2025
GOOGLE

Google Cloud Platform (GCP) provides robust firewall capabilities to secure your cloud resources. Understanding and configuring these firewalls is crucial for protecting your instances, networks, and services from unauthorized access. This guide provides a comprehensive overview of how to configure firewalls in GCP, incorporating the latest features and best practices.

Understanding GCP Firewalls

GCP firewalls operate at the Virtual Private Cloud (VPC) network level. They are distributed, stateful inspection firewalls that are applied globally to all Compute Engine instances and other VPC resources. Key characteristics include:

  • VPC Network-Level: Firewalls are associated with VPC networks, providing network-wide security.
  • Distributed and Stateful: Firewalls are distributed throughout the network, ensuring high availability and performance. Stateful inspection means that the firewall keeps track of the state of network connections and only allows traffic based on the established connection context.
  • Implicit Deny: GCP firewalls operate under an implicit deny principle. Unless a rule is explicitly configured to allow traffic, it is blocked by default.
  • Rule-Based: Firewalls use rules that define criteria for allowing or denying traffic based on source IP address, destination IP address, port, protocol, and other factors.
  • Ingress and Egress Rules: Firewalls allow you to control both incoming (ingress) and outgoing (egress) traffic.

Key Components of a GCP Firewall Rule

A firewall rule in GCP is defined by the following key components:

  • Name: A descriptive name for the rule.
  • Network: The VPC network to which the rule applies.
  • Direction of traffic:
    • Ingress: Incoming traffic to the instances in the network.
    • Egress: Outgoing traffic from the instances in the network.

  • Action on match:
    • Allow: Allows traffic that matches the rule.
    • Deny: Blocks traffic that matches the rule.

  • Target tags or Service accounts: Specifies which instances the rule applies to. You can use tags (key-value pairs) associated with Compute Engine instances, or you can associate the firewall rule with specific service accounts. Using service accounts is the preferred approach for finer-grained control.
  • Source filter (for ingress rules): Specifies the source of the traffic. This can be:
    • IP ranges: One or more CIDR blocks defining the allowed source IP addresses.
    • Service accounts: Specifies traffic originating from instances running with a specific service account.
    • Tags: Specifies traffic originating from instances with a specific network tag.

  • Destination filter (for egress rules): Specifies the destination of the traffic. This can be IP ranges.
  • Protocols and ports: Specifies the protocol (e.g., TCP, UDP, ICMP) and port numbers that the rule applies to.
  • Priority: An integer value representing the priority of the rule. Lower numbers indicate higher priority (applied first). Rules are evaluated in priority order.
  • Log: Optional setting to log rule matches in Cloud Logging. Very important for auditing and security monitoring.

Configuring a Firewall in GCP: Step-by-Step

You can configure firewalls in GCP using the Google Cloud Console, the gcloud command-line tool, or the Cloud Client Libraries. We'll walk through the process using the Cloud Console.

  1. Access the Firewall Rules Page:


  2. Create a New Firewall Rule:

    • Click on the "Create firewall rule" button.

  3. Configure the Firewall Rule:

    Fill in the following details:

    • Name: Enter a descriptive name (e.g., allow-ssh-from-external).

    • Network: Choose the VPC network where you want to apply this rule.

    • Priority: Choose a priority (e.g., 1000 is a good default). Lower numbers mean higher priority.

    • Direction of traffic: Select either "Ingress" or "Egress". For an SSH rule allowing incoming SSH access, choose "Ingress".

    • Action on match: Select "Allow".

    • Targets: Choose "All instances in the network" for testing, however best practice would dictate targetting particular service accounts used by the instances needing SSH. You can also use network tags if appropriate.

    • Source filter: Choose source IP ranges.
      For public ssh you will enter IP ranges for clients connecting to you via ssh and specify their Public IP address (ranges). The most permissive choice of 0.0.0.0/0 is strongly discouraged as best practice security

    • Protocols and ports: Select "TCP" and enter the port number "22" for SSH.


  4. Enable Logging (Highly Recommended): Check the "Log" checkbox to enable logging for this rule. This is crucial for auditing and troubleshooting.

  5. Create the Rule:

    • Click on the "Create" button.

Example Firewall Rules

Here are a few common example firewall rules and their configurations:

Allowing SSH Access (Ingress)

  • Name: allow-ssh-from-external
  • Network: default (or your custom network)
  • Direction of traffic: Ingress
  • Action on match: Allow
  • Targets: Specified Service Accounts, Target Tags, or "All instances in the network" (use sparingly in production).
  • Source filter: IP ranges
  • Source IP Ranges: A limited IP Range. Restrict if possible. DO NOT USE 0.0.0.0/0 in production for general SSH.
  • Protocols and ports: TCP:22
  • Priority: 1000
  • Log: Enabled

Allowing HTTP Traffic (Ingress)

  • Name: allow-http-from-internet
  • Network: default (or your custom network)
  • Direction of traffic: Ingress
  • Action on match: Allow
  • Targets: Specified Service Accounts, Target Tags.
  • Source filter: IP ranges
  • Source IP Ranges: 0.0.0.0/0 (All internet IP Addresses)
  • Protocols and ports: TCP:80
  • Priority: 1000
  • Log: Enabled

Allowing HTTPS Traffic (Ingress)

  • Name: allow-https-from-internet
  • Network: default (or your custom network)
  • Direction of traffic: Ingress
  • Action on match: Allow
  • Targets: Specified Service Accounts, Target Tags.
  • Source filter: IP ranges
  • Source IP Ranges: 0.0.0.0/0 (All internet IP Addresses)
  • Protocols and ports: TCP:443
  • Priority: 1000
  • Log: Enabled

Allowing Internal Traffic within the VPC (Ingress and Egress)

  • Name: allow-internal-vpc
  • Network: default (or your custom network)
  • Direction of traffic: Ingress
  • Action on match: Allow
  • Targets: All instances in the network, target tags, or Service Accounts.
  • Source filter: IP ranges
  • Source IP Ranges: 10.128.0.0/16 (Modify to fit your particular subnet network).
  • Protocols and ports: All (or specify only required)
  • Priority: 1000
  • Log: Enabled


  • Name: allow-egress-internal-vpc
  • Network: default (or your custom network)
  • Direction of traffic: Egress
  • Action on match: Allow
  • Destination filter: IP ranges
  • Destination IP Ranges: 10.128.0.0/16 (Modify to fit your particular subnet network).
  • Protocols and ports: All (or specify only required)
  • Priority: 1000
  • Log: Enabled

Advanced Firewall Configuration

Beyond basic firewall rules, GCP offers advanced configuration options to fine-tune your security posture:

  • Hierarchical Firewall Policies: These allow you to manage firewall rules centrally across your organization hierarchy (organization, folder, and project levels). This allows you to define consistent security policies that apply across multiple projects.
  • Service Accounts: Instead of relying solely on network tags, you can associate firewall rules with service accounts. This allows you to control traffic based on the identity of the applications running on your instances, providing more granular access control.
  • Regional Firewall Policies: Provides layer 7 features such as IDPS capabilities
  • Firewall Insights: A feature that helps you identify potentially overly permissive firewall rules and recommends optimizations. It analyzes your traffic logs and highlights rules that are not being used effectively.
  • Logging and Monitoring: Enable firewall logging and use Cloud Monitoring to track firewall activity, detect anomalies, and gain insights into your network traffic patterns. Cloud Logging integrates seamlessly with firewalls, providing valuable information for auditing, troubleshooting, and security analysis. Enable logging on every rule if practical, unless doing so has large performance consequences (which is rare)
  • Network Tags: Tags are strings you add to instances. You can target tags within firewall rules, and they can be applied and modified with more agility than instance based service account authentication policies. Tags aren't suitable if needing to perform authentication based policies, but good when you want simple instance targetted rule definitions that do not change depending on applications installed in VMs

Best Practices for GCP Firewall Management

Following these best practices will help you effectively manage your GCP firewalls and maintain a strong security posture:

  • Least Privilege Principle: Only allow the necessary traffic. Avoid using overly permissive rules like 0.0.0.0/0 unless absolutely necessary and for temporary situations. Use fine-grained Source IP filters or better still, target policies at particular service accounts used within GCP Instances
  • Regular Audits: Review your firewall rules regularly to ensure they are still necessary and appropriate. Remove or update obsolete rules. Consider at least quarterly to evaluate changes and risks.
  • Use Descriptive Names: Give your firewall rules descriptive names that clearly indicate their purpose. This makes it easier to manage and maintain the rules.
  • Document Your Rules: Keep a record of the purpose, justification, and history of each firewall rule. This documentation will be invaluable for troubleshooting, auditing, and making future changes.
  • Use Automation: Employ infrastructure-as-code tools (e.g., Terraform, Deployment Manager) to automate the creation and management of your firewall rules. This ensures consistency and reduces the risk of errors.
  • Enable logging: Enable logs within firewalls, for effective threat detection and post incident reviews
  • Test Thoroughly: Before deploying firewall rule changes to production, thoroughly test them in a non-production environment.

Conclusion

Configuring firewalls correctly in Google Cloud Platform is a critical aspect of securing your cloud infrastructure. By understanding the key components of GCP firewalls, following the step-by-step configuration process, and implementing best practices, you can effectively protect your resources from unauthorized access and maintain a strong security posture. Regularly review and update your firewall rules to adapt to evolving threats and ensure your security remains effective. Utilize features such as firewall insights and service accounts and network tags for maximum control and flexibility and hierarchical firewall polices for scaling polices to whole organizations.

Firewall Networking Security Rules 
 View : 56

Related

 How to configure firewall rules in CentOS?
 How to configure Windows firewall?
 What is a firewall?
 How can I disable Windows Firewall in Windows 7?
Translate : English Rusia China Jepang Korean Italia Spanyol Saudi Arabia

Trending

What are the best practices for MongoDB schema design?

How to access a shared folder on a Windows network?

How to check the memory usage in CentOS?

What are the common use cases of blockchain technology beyond cryptocurrency?

How to define functions in Kotlin?

What is a document in MongoDB?

What is Bitcoin Cash?

How is artificial intelligence used in security?

Is Bitcoin anonymous?

How to use Android's built-in video player?

How do I prevent SQL injection in PHP?

What is an operating system?

How do I build a website?

How to use Android's built-in browser?

Technisty.com is the best website to find answers to all your questions about technology. Get new knowledge and inspiration from every topic you search.


 Contact

 About

 Privacy

 Terms