Mantra Networking Mantra Networking

GCP (Google Cloud) Networking: Firewall Rules

GCP (Google Cloud) Networking: Firewall Rules
Created By: Lauren R. Garcia

Table of Contents

  • Overview
  • Core Components
  • Default GCP Firewall Rules
  • Creating Firewall Rules
  • Firewall Rule Evaluation
  • Example Firewall Rule Table
  • Best Practices
  • Conclusion

GCP (Google Cloud) Networking: Firewall Rules Overview

What Are GCP Firewall Rules?

Google Cloud Platform (GCP) firewall rules are configuration settings that control the flow of network traffic to and from Google Cloud resources inside a Virtual Private Cloud (VPC). Think of firewall rules as security checkpoints—they define exactly what kinds of network connections are allowed or denied, based on things like IP addresses, protocols, and ports.

Why Are Firewall Rules Important?

Understanding and managing firewall rules is critical for several reasons:

  • Security: They prevent unauthorized access and protect your virtual machines (VMs) and applications from malicious traffic.
  • Compliance: Firewall rules help ensure that your network architecture meets security requirements and industry regulations.
  • Control: You decide the specific sources, destinations, and types of traffic that can interact with your cloud resources, reducing the attack surface.
  • Isolation: They allow you to segment your network efficiently so that only necessary communication is permitted between parts of your infrastructure.

How Do GCP Firewall Rules Work?

GCP firewall rules operate at the network (not host) level across all resources in a VPC. Here’s how they work:

  • Applied to VM Instances: Firewall rules are enforced for all incoming and outgoing connections to and from VM instances, regardless of their operating system or application configuration.
  • Rule Direction: You set whether a rule applies to inbound (ingress) or outbound (egress) traffic.
  • Selection by Targets: Rules can be tailored to apply only to specific VMs using tags or service accounts, or to all instances in a VPC network.
  • Evaluation Order: Each rule has a priority. When network traffic hits a VPC, GCP evaluates the rules in order of priority (lower numbers first). The first matching rule determines whether the traffic is allowed or denied.
  • Default Behavior: By default, GCP denies all incoming (ingress) connections and allows all outgoing (egress) connections—unless otherwise specified by your firewall rules.

Understanding the overview of GCP firewall rules gives you the foundation to secure your cloud environments and tailor network access with precision as your cloud infrastructure grows.

Core Components

These are the fundamental elements that make up Google Cloud Firewall Rules and enable precise traffic control inside Virtual Private Clouds (VPCs):

  • Direction: Specifies whether the firewall rule applies to incoming (ingress) or outgoing (egress) network traffic.
  • Priority: An integer value that determines the rule's evaluation order. Rules with lower numbers are evaluated before those with higher numbers.
  • Action (Allow/Deny): Defines whether matching traffic is permitted or blocked.
  • Targets: Identifies the resources (VM instances, service accounts, or tags) the rule applies to.
  • Source/Destination: Specifies the origin (for ingress) or target (for egress) IP address ranges for network traffic.
  • Protocols and Ports: Determines which types of traffic (e.g., TCP, UDP, ICMP) and specific port numbers the rule affects.
  • Logging: (Optional) Enables logging to record matched traffic for monitoring and auditing purposes.
Default GCP Firewall Rules

When you create a new VPC network in Google Cloud, certain firewall rules are automatically configured to ensure essential connectivity. These default rules are intended to make it easy to get started, but they should be reviewed and customized for your environment's security requirements.

  1. default-allow-internal:
    • Direction: Ingress (incoming)
    • Action: Allow
    • Source: 10.128.0.0/9 (internal VPC network range)
    • Protocols/Ports: All (TCP/UDP: 0-65535, ICMP)
    • Description: Permits all traffic between VM instances within the same network.
  2. default-allow-ssh:
    • Direction: Ingress
    • Action: Allow
    • Source: 0.0.0.0/0 (any IP address)
    • Protocols/Ports: TCP:22 (SSH)
    • Description: Allows remote SSH access to instances from any source.
  3. default-allow-rdp:
    • Direction: Ingress
    • Action: Allow
    • Source: 0.0.0.0/0 (any IP address)
    • Protocols/Ports: TCP:3389 (RDP)
    • Description: Allows remote RDP access to Windows instances from any source.
  4. default-allow-icmp:
    • Direction: Ingress
    • Action: Allow
    • Source: 0.0.0.0/0 (any IP address)
    • Protocols/Ports: ICMP
    • Description: Enables network utilities like ping and traceroute to reach instances.
Rule Name Direction Action Source Protocols/Ports Description
default-allow-internal Ingress Allow 10.128.0.0/9 All (TCP/UDP: 0-65535, ICMP) Allows traffic between instances in the same network
default-allow-ssh Ingress Allow 0.0.0.0/0 TCP:22 Enables SSH access from any IP
default-allow-rdp Ingress Allow 0.0.0.0/0 TCP:3389 Enables RDP access from any IP
default-allow-icmp Ingress Allow 0.0.0.0/0 ICMP Allows ping and other ICMP traffic

Important: By default, all other incoming (ingress) traffic is denied, and all outgoing (egress) traffic is allowed unless you create additional rules to override these defaults. It is recommended to restrict or modify the default rules to enhance security based on your specific needs.

Creating Firewall Rules

Setting up custom firewall rules in Google Cloud allows you to control how traffic moves within and into your virtual networks. Follow these steps to create a firewall rule in the GCP Console:

  1. Navigate to Firewall Rules:
    • In the Google Cloud Console, go to VPC network > Firewall.
    • Click the Create firewall rule button.
  2. Define the Rule Properties:
    • Name: Set a unique name for your firewall rule.
    • Network: Select the VPC network where the rule will apply.
    • Priority: Assign a priority (lower value means higher priority).
    • Direction of Traffic: Choose Ingress (incoming) or Egress (outgoing).
    • Action on Match: Select Allow or Deny for matching traffic.
  3. Define Targets:
    • Specify whether the rule applies to all instances, or only those with specific target tags or service accounts.
  4. Specify Source or Destination:
    • For ingress rules: enter one or more Source IP ranges (e.g., 0.0.0.0/0).
    • For egress rules: enter Destination IP ranges as needed.
  5. Protocols and Ports:
    • Choose which protocols and ports to allow or deny, such as TCP:80,443 (for web servers) or all traffic on all ports.
  6. Optionally Enable Logging:
    • Turn on logging to keep a record of connections that match the rule (helpful for auditing and troubleshooting).
  7. Review and Create:
    • Review your inputs and click Create to activate the firewall rule.

Once your firewall rule is created, it becomes effective immediately and will influence traffic flow based on your configuration. You can always edit or remove rules as your network needs evolve.

Firewall Rule Evaluation

Understanding how Google Cloud evaluates firewall rules is essential for effective network security and troubleshooting. The evaluation process follows a clear logic to determine how traffic is allowed or blocked:

  1. Assign Rule Priorities:
    • Each firewall rule is given a priority (an integer from 0 to 65535), where a lower number means higher priority.
  2. Evaluate Matching Rules by Priority:
    • When traffic arrives, Google Cloud checks all rules that apply to the traffic's target, protocol, ports, source/destination, and direction.
    • The evaluation starts with the rule that has the highest priority (lowest number).
  3. First Match Determines the Action:
    • As soon as a rule matches the traffic, its action (allow or deny) is enforced and no further rules are evaluated.
  4. Implied Rules:
    • If no user-defined ingress rule matches, all other incoming traffic is denied by an implied rule.
    • Outgoing (egress) traffic is allowed by default unless an explicit deny rule is created.
  5. Firewall Policies and Custom Ordering:
    • Organizations can set policies that change the default evaluation order (for example, evaluating organization-wide policies before project-level rules).
Step Description
1. Traffic Arrives Traffic is detected entering or leaving a VM's network interface.
2. Rule Evaluation Firewall rules for the network are checked in order of ascending priority (lowest number first).
3. First Match Applied The first rule that matches all criteria (direction, protocol, ports, target, source/destination) is enforced.
4. Action Performed Traffic is either allowed or denied based on the matching rule. No further rules are evaluated.
5. Implied Rule (if needed) If no user rule matches, default rules apply: deny all ingress, allow all egress.

Tip: Regularly review the order and specificity of your rules. A more general rule with higher priority can override more specific rules with lower priority, which may lead to unintended access or blocks.

Best Practices

Applying best practices to your Google Cloud firewall rules is critical for keeping your cloud network secure, manageable, and compliant. Follow this step-by-step guide to optimize firewall rule configuration:

  1. Apply the Principle of Least Privilege:
    • Allow only the specific IP addresses, ports, and protocols necessary for your workloads and block everything else.
    • Avoid using broad source ranges like 0.0.0.0/0 unless absolutely necessary.
  2. Use Network Tags or Service Accounts for Targeting:
    • Attach network tags or service accounts to VM instances and reference them in your firewall rules for targeted and granular application.
  3. Enable and Monitor Logging:
    • Turn on firewall rule logging to record both allowed and denied traffic for auditing and troubleshooting.
    • Regularly review logs for anomalies or unexpected traffic patterns.
  4. Centralize and Automate Log Management:
    • Use centralized log management tools and consider integration with SIEM solutions for enhanced monitoring and alerting.
  5. Regularly Audit and Clean Up Rules:
    • Schedule periodic reviews to remove unnecessary, unused, or overly permissive rules from your network.
    • Utilize available tools to identify shadowed or inactive rules.
  6. Be Specific with Protocols and Ports:
    • Specify the exact protocols and port numbers needed, rather than using "all" unless absolutely required.
  7. Document Rule Purpose and Scope:
    • Use clear naming conventions and descriptions for each rule, indicating purpose, scope, and any relevant change history.
  8. Leverage Firewall Insights and Recommendations:
    • Take advantage of GCP’s built-in insights to identify overly permissive or redundant rules and implement recommendations where applicable.
  9. Order Rules Correctly Using Priority:
    • Assign priority values carefully; lower numbers have higher precedence. Place more specific or critical rules before broader ones.
  10. Test New Rules in a Controlled Environment:
    • Before deploying new firewall rules to production, test them in a staging or development environment to confirm they behave as expected.

By implementing these best practices, you can enhance the security, visibility, and agility of your cloud infrastructure while minimizing potential risks.

Conclusion

Throughout this blog post, we explored the essential aspects of managing firewall rules within Google Cloud's Virtual Private Cloud (VPC) environment. Here’s a quick recap of what we’ve learned:

  • Core Components of firewall rules help define how network traffic is controlled using direction, priorities, actions (allow/deny), targets, IP ranges, and ports.
  • Default GCP Firewall Rules come pre-configured to enable basic connectivity between VMs and for common remote access tools like SSH and RDP. However, it's critical to evaluate and adjust these for enhanced security.
  • Creating Custom Firewall Rules gives you the power to tailor traffic control to your exact needs, including defining IP ranges, protocols, ports, and targets using tags or service accounts.
  • Firewall Rule Evaluation follows a strict order based on rule priority, where the first matching rule determines whether traffic is allowed or denied. Understanding this evaluation logic helps prevent misconfigurations.
  • Best Practices emphasize the need to follow the principle of least privilege, use specific targeting mechanisms, enable logging, audit regularly, and document configurations clearly to maintain a secure and well-managed environment.

By mastering these components and applying best practices, you’ll be well on your way to building a more secure and efficient cloud infrastructure.

Thanks for following along! Whether you’re new to GCP or refining your current firewall rules strategy, we hope this guide helps you confidently manage your cloud network’s security boundaries.

Happy cloud networking! ☁️🛡️

Share Share Share Share Share Email