Lab, Creating Firewall Rules on a Google Cloud VPC Network


Firewall Rules on a GCP - VPC Network


  1. Allow public access to compute instances vis SSH
  2. Restrict to ICMP access on one of instance  from Subnet-a
  3. Test the connectivity


  • Create 2 instance in one subnet and other 2 in other subnet 
  • All instance should be part of custom VPC


Step1: Login to Google cloud console "" and complete prerequisite

CGP Login

  • From Top -left menu, scroll down to VPC network, then click on firewall rules from the sub menu
Google Clompute engine    

  • Create instance in custome VPC. it will look like below.

Google Firewall rules

Step 2: We will now create a wide-scope rule to allow SSH access to the entire network from all public sources

  • Click firewall rules

GCP firewall rules

  • Name the rule"allow-ssh", you can give any name of your choice
  • In network drop down menu select custom-vpc.
allow-ssh property

  • In the targets drop down menu, select "all instances" in the network
  • In the source filter dropdown menu, select IP ranges (Should be default)
  • In source IP ranges, enter "". This allows access from any public location.
  • In protocols and ports, Select specified protocols and ports
  • Place a check in tcp and enter 22 in the text box to the right of it
SSH port

  • Now click the create button

GCP firewall port

  • Now I can see the fire wall rule is created

GCP firewall rule list

Step 3: Let's apply network tag to our Compute engine "Instance-2". Apply a network tag to our instance-2 instance which will only allow a later firewall rule to apply to that one instance

  • Go to Compute engine and click on instance-2  
Algae services    

GCP Algae services instance list

  • click edit button at the top

GCP compute engine Algae services

  • Scroll down, and under network tags, enter "icmp-allow", hit enter to confirm the tag, the click Save at the bottom to confirm 
icmp algae services  GCP

Step 4: Create  a narrow-scope firewall rule for instance-2. Create a firewall rule that will only allow ICMP traffic to my "instance-2", while also only allowing traffic from subnet-a as the source.

  • Go to firewall menu and create a new rule  ( From top -left menu, scroll down to vPC network, then click on firewall rules from the sub menu)
GCP firewall port

  • Name the rule allow-icmp
  • Choose the "custom-vpc" network
Algae GCP firewall

  • In the targets dropdown menu, set to specified target tags if not already the default.
  • In the target tags field, type "icmp-allow" and hit enter.
  • In the source filter drop down, choose IP range
  • Enter the IP range of our subnet-a subnet
  • In protocols and ports, choose Specified protocols and ports.
  • Place a check in Other protocols, and type in "icmp"  {there is no port no. for ICMP}
ICMP  GcP propeties

  • If you wish, again view the command line cross reference (may still be glitched for the network field, than close out and click create to create the rule)

Step 5: Now Let's test the firewall rule to validate.

  • Go to compute engine
  • Next to 'Instance-2' either write down or highlight/copy the internal IP address for instance-2 (in my case its
instance Gcloud connect
  • SSH into 'Instance-1a' 
instace GCP SSH

  • Attempt to ping the instance by entering "ping internalIP". if its success, press Ctrl+C  to quit ping.
  • Exit out of "instance-1a" SSH session, and now SSH into 'Instance-1b' and attempt to ping 'Instance-2' again. onse successfull exit from 'Instance-1b'.
  • SSH into 'Instance-3', attempt to ping 'Instance-2' again. This time ping should not be successfull as we applied rule for traffic allow only from subnet-a.

No comments:
Write comments

Please do not enter spam links

Meet US


More Services