Google Cloud Security: Creating Firewall Rules on a VPC Network

Google Cloud Security: Creating Firewall Rules on a VPC Network

I will configure two different firewall rules: (1) to allow SSH access to all instances on the network, and  (2) another one using specific network tags to only allow ICMP (ping) access to one instance, and only from a specific subnet. This will show using both wide-scope and narrow-scope firewall rules.

Allow SSH Access to all Virtual Machine Instances

  • Scroll Down to VPC Network and click on Firewall rules and createa firewall rule and name it "allow-ssh"
  • In the Network dropdown menu, select "custom-vpc"
  • Targets: Select,"All instances in the network"
  • Source IP Range: Type, 0.0.0.0/0
  • Protocols and ports: select "Specified protocols and ports "tcp: "22"
This image has an empty alt attribute; its file name is image-63.png
This image has an empty alt attribute; its file name is image-64.png
This image has an empty alt attribute; its file name is image-65.png
This image has an empty alt attribute; its file name is image-66.png
This image has an empty alt attribute; its file name is image-67.png
This image has an empty alt attribute; its file name is image-68.png

Apply Network Tag to VM

  • Select, Compute Engine and click on "instance-2"
  • Scroll Down to Network tags and enter "icmp-allow"
This image has an empty alt attribute; its file name is image-69.png
This image has an empty alt attribute; its file name is image-70.png
This image has an empty alt attribute; its file name is image-71.png
This image has an empty alt attribute; its file name is image-72.png
This image has an empty alt attribute; its file name is image-73.png

Create a narrow-scope firewall rule for virtuam machine "instance-2"

  • Go back to your firewall menu, and create a new rule and name rule "allow-icmp"
  • Choose the custom-vpc network
  • In the Targets dropdown menu, set to specified target tags if not already the default
  • In the Target tags field, type icmp-allow and hit Enter
  • In the Source filter dropdown, choose IP Range
  • Enter the IP range of our subnet-a subnet
  • In Protocols and ports, choose Specified protocols and ports
  • Place a check in Other protocols, and type in icmp (there is no port number for ICMP
This image has an empty alt attribute; its file name is image-74.png
This image has an empty alt attribute; its file name is image-75.png
This image has an empty alt attribute; its file name is image-76.png
This image has an empty alt attribute; its file name is image-77.png

Test ICMP Firewall Rule

  • Go back to Compute Engine and test this rule through the other virtuam machine instances
This image has an empty alt attribute; its file name is image-78.png

instance-1a

  • You will see that I can ping "instance-2" from ssh terminal of the this instance.
This image has an empty alt attribute; its file name is image-79.png

instance-1b

  • You will see that I can ping "instance-2" from ssh terminal of the this instance.
This image has an empty alt attribute; its file name is image-80.png

instance-3

  • You will see that when you ping "instance-2" from ssh terminal of the this instance, that it will pause for a long time and evenually time out. Because the rule to source traffic from subnet-a only.
This image has an empty alt attribute; its file name is image-81.png