Google Cloud Security: Creating Firewall Rules on a VPC Network

Google Cloud Security: Creating Firewall Rules on a VPC Network

I will configure two different firewall rules: (1) to allow SSH access to all instances on the network, and  (2) another one using specific network tags to only allow ICMP (ping) access to one instance, and only from a specific subnet. This will show using both wide-scope and narrow-scope firewall rules.

Allow SSH Access to all Virtual Machine Instances

  • Scroll Down to VPC Network and click on Firewall rules and createa firewall rule and name it "allow-ssh"
  • In the Network dropdown menu, select "custom-vpc"
  • Targets: Select,"All instances in the network"
  • Source IP Range: Type, 0.0.0.0/0
  • Protocols and ports: select "Specified protocols and ports "tcp: "22"
This image has an empty alt attribute; its file name is image-63.png
This image has an empty alt attribute; its file name is image-64.png
This image has an empty alt attribute; its file name is image-65.png
This image has an empty alt attribute; its file name is image-66.png
This image has an empty alt attribute; its file name is image-67.png
This image has an empty alt attribute; its file name is image-68.png

Apply Network Tag to VM

  • Select, Compute Engine and click on "instance-2"
  • Scroll Down to Network tags and enter "icmp-allow"
This image has an empty alt attribute; its file name is image-69.png
This image has an empty alt attribute; its file name is image-70.png
This image has an empty alt attribute; its file name is image-71.png
This image has an empty alt attribute; its file name is image-72.png
This image has an empty alt attribute; its file name is image-73.png

Create a narrow-scope firewall rule for virtuam machine "instance-2"

  • Go back to your firewall menu, and create a new rule and name rule "allow-icmp"
  • Choose the custom-vpc network
  • In the Targets dropdown menu, set to specified target tags if not already the default
  • In the Target tags field, type icmp-allow and hit Enter
  • In the Source filter dropdown, choose IP Range
  • Enter the IP range of our subnet-a subnet
  • In Protocols and ports, choose Specified protocols and ports
  • Place a check in Other protocols, and type in icmp (there is no port number for ICMP
This image has an empty alt attribute; its file name is image-74.png
This image has an empty alt attribute; its file name is image-75.png
This image has an empty alt attribute; its file name is image-76.png
This image has an empty alt attribute; its file name is image-77.png

Test ICMP Firewall Rule

  • Go back to Compute Engine and test this rule through the other virtuam machine instances
This image has an empty alt attribute; its file name is image-78.png

instance-1a

  • You will see that I can ping "instance-2" from ssh terminal of the this instance.
This image has an empty alt attribute; its file name is image-79.png

instance-1b

  • You will see that I can ping "instance-2" from ssh terminal of the this instance.
This image has an empty alt attribute; its file name is image-80.png

instance-3

  • You will see that when you ping "instance-2" from ssh terminal of the this instance, that it will pause for a long time and evenually time out. Because the rule to source traffic from subnet-a only.
This image has an empty alt attribute; its file name is image-81.png

Share Tweet Send
0 Comments
Loading...
You've successfully subscribed to Songer Tech
Great! Next, complete checkout for full access to Songer Tech
Welcome back! You've successfully signed in
Success! Your account is fully activated, you now have access to all content.