Lab, Creating Firewall Rules on a Google Cloud VPC Network
Firewall Rules on a GCP - VPC Network
Objective:
Allow public access to compute instances vis SSH
Restrict to ICMP access on one of instance from Subnet-a
Test the connectivity
Prerequisite:
Create 2 instance in one subnet and other 2 in other subnet
All instance should be part of custom VPC
Solution:
Step1: Login to Google cloud console "https://cloud.google.com/" and complete prerequisite
From Top -left menu, scroll down to VPC network, then click on firewall rules from the sub menu
Create instance in custome VPC. it will look like below.
Step 2: We will now create a wide-scope rule to allow SSH access to the entire network from all public sources
Click firewall rules
Name the rule"allow-ssh", you can give any name of your choice
In network drop down menu select custom-vpc.
In the targets drop down menu, select "all instances" in the network
In the source filter dropdown menu, select IP ranges (Should be default)
In source IP ranges, enter "0.0.0.0/0". This allows access from any public location.
In protocols and ports, Select specified protocols and ports
Place a check in tcp and enter 22 in the text box to the right of it
Now click the create button
Now I can see the fire wall rule is created
Step 3: Let's apply network tag to our Compute engine "Instance-2". Apply a network tag to our instance-2 instance which will only allow a later firewall rule to apply to that one instance
Go to Compute engine and click on instance-2
click edit button at the top
Scroll down, and under network tags, enter "icmp-allow", hit enter to confirm the tag, the click Save at the bottom to confirm
Step 4: Create a narrow-scope firewall rule for instance-2. Create a firewall rule that will only allow ICMP traffic to my "instance-2", while also only allowing traffic from subnet-a as the source.
Go to firewall menu and create a new rule ( From top -left menu, scroll down to vPC network, then click on firewall rules from the sub menu)
Name the rule allow-icmp
Choose the "custom-vpc" network
In the targets dropdown menu, set to specified target tags if not already the default.
In the target tags field, type "icmp-allow" and hit enter.
In the source filter drop down, choose IP range
Enter the IP range of our subnet-a subnet
In protocols and ports, choose Specified protocols and ports.
Place a check in Other protocols, and type in "icmp" {there is no port no. for ICMP}
If you wish, again view the command line cross reference (may still be glitched for the network field, than close out and click create to create the rule)
Step 5: Now Let's test the firewall rule to validate.
Go to compute engine
Next to 'Instance-2' either write down or highlight/copy the internal IP address for instance-2 (in my case its 10.0.2.2)
SSH into 'Instance-1a'
Attempt to ping the instance by entering "ping internalIP". if its success, press Ctrl+C to quit ping.
Exit out of "instance-1a" SSH session, and now SSH into 'Instance-1b' and attempt to ping 'Instance-2' again. onse successfull exit from 'Instance-1b'.
SSH into 'Instance-3', attempt to ping 'Instance-2' again. This time ping should not be successfull as we applied rule for traffic allow only from subnet-a.
No comments:
Write commentsPlease do not enter spam links