Skip to main content
Introduction

Securing your GCP network by filtering what traffic is allowed and not allowed is a vital skill necessary for any Google Cloud administrator. We are going to go over a simple scenario which will introduce the basics of working with GCP’s firewall.

Getting Started

When it comes to working with firewalls rules on GCP, it is important to know that:

All Ingress (incoming) traffic is denied by default.

All Egress (Outgoing) traffic is allowed by default.

This means that if you do not explicitly create a rule to allow network traffic for a given protocol/port, it will be blocked by default.

In our scenario, we have a Compute Engine instance named ‘vnc-desktop’ with the GNOME desktop environment installed, and we want to be able to remove into the desktop environment using VNC from our home computer. To do so, we need to allow TCP port 5901 to access this instance, without allowing the same traffic to the rest of our GCP environment. We are going to accomplish this with a firewall rule combined with network tags to limit what the rule applies to.

By default, TCP port 5901 is blocked, preventing us from remote access via VNC to our desktop. Let’s fix this.

From the Google Cloud web console, go to the top left menu, scroll down to VPC Networks, and select Firewall Rules from the pop-out menu.

user_202852_5a909c9c8cdb0.png

From the Firewall rules menu, click CREATE FIREWALL RULE from the top.

user_202852_5a909d567f56f.png_800.jpg

We’re now going to go over the options for firewall rules and choose the correct ones for our scenario.

Name – give your rule a name. Be sure there are no spaces and all lower case.

Description – describes what this firewall rule is for

Network – if you have more than one VPC network, choose it from this list. Otherwise it will default to the ‘default’ VPC.

Priority – If multiple firewall rules overlap or have a conflict, the rule with the lower priority number ‘wins’ and is the rule that is applied.

Direction of traffic – Ingress = incoming traffic, Egress = outgoing traffic

Action on match – allow or deny access based on meeting the rule condition

Targets – what does this firewall rule apply to? We have several options:

All Instances in the network – global rule to apply to entire VPC network

  • Specified target tags – only apply this rule to instances that have specific tags
  • Specified service account – only apply rule to instances with specified Compute Engine service account

Source filter – determines when to apply this rule based on the source location of originating network traffic. If you want this rule to apply to traffic from anywhere on the Internet, you can type 0.0.0.0/0 to apply it to all possible sources of traffic.

We also have the options of applying our source filter to a specific subnet, Compute Engine instances with a specific service account, instances with specific network tags.

Protocol and ports – what protocol/ports are we either allowing or denying access to our network?

  • Allow all – allows all traffic to our network (this is NOT recommended unless for testing)
  • Specified protocols and ports – choose which protocol/ports this rule will either allow or deny

For our scenario, we want to allow access for TCP port 5901 only to instances with the tag ‘vnc-server’ without exposing the rest of our network to the same port. We want to be able to remote to our desktop from any public computer. Therefore our settings are in the below screenshot, and also as follows:

user_202852_5a909deb80441.png

Name – vnc-server

Description – Allow VNC remote access to instances with the ‘vnc-server’ tag

Network – default

Priority – 1000

Direction of traffic – Ingress (for incoming traffic)

Action on match – Allow (to allow access)

Targets – Specified target tags (to apply ONLY to my vnc-desktop instance and nothing else)

Target tags – vnc-server

Source filter – IP ranges

Source IP ranges – 0.0.0.0/0 to allow from anywhere on the Internet. If we want to more tightly control access, we could use our own external IP address instead.

Protocols and ports – specified ports – tcp:5901

Once this is done, click Create.

Great! Our firewall rule is created, but we still cannot remote to our Linux desktop because our ‘vnc-desktop’ instance does not have the network tag we specified as our firewall rule target. Let’s fix that now.

Go to Compute Engine and click on our instance ‘vnc-desktop’, then click Edit.

Under Network tags, type the name of our network tag to match the firewall target. In this case, ‘vnc-server’. Then scroll to the bottom to and click Save to save changes.

user_202852_5a909e0f42104.png

Awesome! Let’s see if this works. If we did everything correctly, we create a firewall rule to allow TCP port 5901 on our default VPC to only be applied our ‘vnc-desktop’ instance based on the network tag ‘vnc-server’.

Open up your favorite VNC client, and attempt to connect by the external IP address of your instance followed by ‘:5901’. In our case, we will connect by 35.225.133.214:5901.

user_202852_5a909e33543b8.png_800.jpg

Enter your VNC server password when prompted.

user_202852_5a909e409a76d.png

user_202852_5a909e4f7434a.png_800.jpg

And success! We now have remote access to our GNOME desktop on our Compute Engine instance, thanks to successfully opening up the correct port on the GCP Firewall.

There are MANY more possible configurations of the GCP firewall that offer both broad and very fine-tuned control of network exposure to your GCP environment. Mastering how to work with firewall rules is a vital component to securing your GCP environment while still allowing it to work at its full potential.

Sources / Resources

If you want to learn more about working with Firewalls on Google Cloud Platform, view Google’s documentation about the same subject here:

https://cloud.google.com/vpc/docs/firewalls

Also be on the look out for our upcoming Google Cloud Platform Security Essentials course, in which we’ll work further with firewall rules and other security-related topics as well.

Comments are disabled for this guide.