Google Cloud Security: Creating Firewall Rules on a VPC Network
I will configure two different firewall rules: (1) to allow SSH access to all instances on the network, and (2) another one using specific network tags to only allow ICMP (ping) access to one instance, and only from a specific subnet. This will show using both wide-scope and narrow-scope firewall rules.
Allow SSH Access to all Virtual Machine Instances
- Scroll Down to VPC Network and click on Firewall rules and createa firewall rule and name it "allow-ssh"
- In the Network dropdown menu, select "custom-vpc"
- Targets: Select,"All instances in the network"
- Source IP Range: Type,
0.0.0.0/0 - Protocols and ports: select "Specified protocols and ports
"tcp: "22"
Apply Network Tag to VM
- Select, Compute Engine and click on "instance-2"
- Scroll Down to Network tags and enter "icmp-allow"
Create a narrow-scope firewall rule for virtuam machine "instance-2"
- Go back to your firewall menu, and create a new rule and name rule "allow-icmp"
- Choose the custom-vpc network
- In the Targets dropdown menu, set to specified target tags if not already the default
- In the Target tags field, type
icmp-allowand hit Enter - In the Source filter dropdown, choose IP Range
- Enter the IP range of our subnet-a subnet
- In Protocols and ports, choose Specified protocols and ports
- Place a check in Other protocols, and type in
icmp(there is no port number for ICMP
Test ICMP Firewall Rule
- Go back to Compute Engine and test this rule through the other virtuam machine instances
instance-1a
- You will see that I can ping "instance-2" from ssh terminal of the this instance.
instance-1b
- You will see that I can ping "instance-2" from ssh terminal of the this instance.
instance-3
- You will see that when you ping "instance-2" from ssh terminal of the this instance, that it will pause for a long time and evenually time out. Because the rule to source traffic from subnet-a only.