Securing your GCP network by filtering what traffic is allowed and not allowed is a vital skill necessary for any Google Cloud administrator. We are going to go over a simple scenario which will introduce the basics of working with GCP’s firewall.
When it comes to working with firewalls rules on GCP, it is important to know that:
All Ingress (incoming) traffic is denied by default.
All Egress (Outgoing) traffic is allowed by default.
This means that if you do not explicitly create a rule to allow network traffic for a given protocol/port, it will be blocked by default.
In our scenario, we have a Compute Engine instance named ‘vnc-desktop’ with the GNOME desktop environment installed, and we want to be able to remove into the desktop environment using VNC from our home computer. To do so, we need to allow TCP port 5901 to access this instance, without allowing the same traffic to the rest of our GCP environment. We are going to accomplish this with a firewall rule combined with network tags to limit what the rule applies to.
By default, TCP port 5901 is blocked, preventing us from remote access via VNC to our desktop. Let’s fix this.
From the Google Cloud web console, go to the top left menu, scroll down to VPC Networks, and select Firewall Rules from the pop-out menu.
From the Firewall rules menu, click CREATE FIREWALL RULE from the top.
We’re now going to go over the options for firewall rules and choose the correct ones for our scenario.
Name – give your rule a name. Be sure there are no spaces and all lower case.
Description – describes what this firewall rule is for
Network – if you have more than one VPC network, choose it from this list. Otherwise it will default to the ‘default’ VPC.
Priority – If multiple firewall rules overlap or have a conflict, the rule with the lower priority number ‘wins’ and is the rule that is applied.
Direction of traffic – Ingress = incoming traffic, Egress = outgoing traffic
Action on match – allow or deny access based on meeting the rule condition
Targets – what does this firewall rule apply to? We have several options:
All Instances in the network – global rule to apply to entire VPC network
- Specified target tags – only apply this rule to instances that have specific tags
- Specified service account – only apply rule to instances with specified Compute Engine service account
Source filter – determines when to apply this rule based on the source location of originating network traffic. If you want this rule to apply to traffic from anywhere on the Internet, you can type 0.0.0.0/0 to apply it to all possible sources of traffic.
We also have the options of applying our source filter to a specific subnet, Compute Engine instances with a specific service account, instances with specific network tags.
Protocol and ports – what protocol/ports are we either allowing or denying access to our network?
- Allow all – allows all traffic to our network (this is NOT recommended unless for testing)
- Specified protocols and ports – choose which protocol/ports this rule will either allow or deny
For our scenario, we want to allow access for TCP port 5901 only to instances with the tag ‘vnc-server’ without exposing the rest of our network to the same port. We want to be able to remote to our desktop from any public computer. Therefore our settings are in the below screenshot, and also as follows:
Name – vnc-server
Description – Allow VNC remote access to instances with the ‘vnc-server’ tag
Network – default
Priority – 1000
Direction of traffic – Ingress (for incoming traffic)
Action on match – Allow (to allow access)
Targets – Specified target tags (to apply ONLY to my vnc-desktop instance and nothing else)
Target tags – vnc-server
Source filter – IP ranges
Source IP ranges – 0.0.0.0/0 to allow from anywhere on the Internet. If we want to more tightly control access, we could use our own external IP address instead.
Protocols and ports – specified ports – tcp:5901
Once this is done, click Create.
Great! Our firewall rule is created, but we still cannot remote to our Linux desktop because our ‘vnc-desktop’ instance does not have the network tag we specified as our firewall rule target. Let’s fix that now.
Go to Compute Engine and click on our instance ‘vnc-desktop’, then click Edit.
Under Network tags, type the name of our network tag to match the firewall target. In this case, ‘vnc-server’. Then scroll to the bottom to and click Save to save changes.
Awesome! Let’s see if this works. If we did everything correctly, we create a firewall rule to allow TCP port 5901 on our default VPC to only be applied our ‘vnc-desktop’ instance based on the network tag ‘vnc-server’.
Open up your favorite VNC client, and attempt to connect by the external IP address of your instance followed by ‘:5901’. In our case, we will connect by 22.214.171.124:5901.
Enter your VNC server password when prompted.
And success! We now have remote access to our GNOME desktop on our Compute Engine instance, thanks to successfully opening up the correct port on the GCP Firewall.
There are MANY more possible configurations of the GCP firewall that offer both broad and very fine-tuned control of network exposure to your GCP environment. Mastering how to work with firewall rules is a vital component to securing your GCP environment while still allowing it to work at its full potential.
Sources / Resources
If you want to learn more about working with Firewalls on Google Cloud Platform, view Google’s documentation about the same subject here:
Also be on the look out for our upcoming Google Cloud Platform Security Essentials course, in which we’ll work further with firewall rules and other security-related topics as well.