Lab, Creating Firewall Rules on a Google Cloud VPC Network

 


Firewall Rules on a GCP - VPC Network

Objective:

  1. Allow public access to compute instances vis SSH
  2. Restrict to ICMP access on one of instance  from Subnet-a
  3. Test the connectivity

Prerequisite:

  • Create 2 instance in one subnet and other 2 in other subnet 
  • All instance should be part of custom VPC


Solution:

Step1: Login to Google cloud console "https://cloud.google.com/" and complete prerequisite

CGP Login - Login to Google cloud console "https://cloud.google.com/" and complete prerequisite

  • From Top -left menu, scroll down to VPC network, then click on firewall rules from the sub menu
Google Clompute engine, From Top -left menu, scroll down to VPC network, then click on firewall rules from the sub menu    

  • Create instance in custome VPC. it will look like below.

Google Firewall rules, Create instance in custome VPC. it will look like below




Step 2: We will now create a wide-scope rule to allow SSH access to the entire network from all public sources


  • Click firewall rules

GCP firewall rules, We will now create a wide-scope rule to allow SSH access to the entire network from all public sources algae it services

  • Name the rule"allow-ssh", you can give any name of your choice
  • In network drop down menu select custom-vpc.
allow-ssh property  Name the rule"allow-ssh", you can give any name of your choice In network drop down menu select custom-vpc.

  • In the targets drop down menu, select "all instances" in the network
  • In the source filter dropdown menu, select IP ranges (Should be default)
  • In source IP ranges, enter "0.0.0.0/0". This allows access from any public location.
  • In protocols and ports, Select specified protocols and ports
  • Place a check in tcp and enter 22 in the text box to the right of it
SSH port, In the targets drop down menu, select "all instances" in the network In the source filter dropdown menu, select IP ranges (Should be default) In source IP ranges, enter "0.0.0.0/0". This allows access from any public location. In protocols and ports, Select specified protocols and ports Place a check in tcp and enter 22 in the text box to the right of it

  • Now click the create button

GCP firewall port In the targets drop down menu, select "all instances" in the network In the source filter dropdown menu, select IP ranges (Should be default) In source IP ranges, enter "0.0.0.0/0". This allows access from any public location. In protocols and ports, Select specified protocols and ports Place a check in tcp and enter 22 in the text box to the right of it

  • Now I can see the fire wall rule is created

GCP firewall rule list  Let's apply network tag to our Compute engine "Instance-2". Apply a network tag to our instance-2 instance which will only allow a later firewall rule to apply to that one instance





Step 3: Let's apply network tag to our Compute engine "Instance-2". Apply a network tag to our instance-2 instance which will only allow a later firewall rule to apply to that one instance


  • Go to Compute engine and click on instance-2  
Algae services, Let's apply network tag to our Compute engine "Instance-2". Apply a network tag to our instance-2 instance which will only allow a later firewall rule to apply to that one instance    

GCP Algae services instance list  Let's apply network tag to our Compute engine "Instance-2". Apply a network tag to our instance-2 instance which will only allow a later firewall rule to apply to that one instance

  • click edit button at the top

GCP compute engine Algae services   Let's apply network tag to our Compute engine "Instance-2". Apply a network tag to our instance-2 instance which will only allow a later firewall rule to apply to that one instance

  • Scroll down, and under network tags, enter "icmp-allow", hit enter to confirm the tag, the click Save at the bottom to confirm 
icmp algae services  GCP, Scroll down, and under network tags, enter "icmp-allow", hit enter to confirm the tag, the click Save at the bottom to confirm



Step 4: Create  a narrow-scope firewall rule for instance-2. Create a firewall rule that will only allow ICMP traffic to my "instance-2", while also only allowing traffic from subnet-a as the source.


  • Go to firewall menu and create a new rule  ( From top -left menu, scroll down to vPC network, then click on firewall rules from the sub menu)
GCP firewall port,  Create  a narrow-scope firewall rule for instance-2. Create a firewall rule that will only allow ICMP traffic to my "instance-2", while also only allowing traffic from subnet-a as the source.  Go to firewall menu and create a new rule  ( From top -left menu, scroll down to vPC network, then click on firewall rules from the sub menu)


  • Name the rule allow-icmp
  • Choose the "custom-vpc" network
Algae GCP firewall, Name the rule allow-icmp Choose the "custom-vpc" network

  • In the targets dropdown menu, set to specified target tags if not already the default.
  • In the target tags field, type "icmp-allow" and hit enter.
  • In the source filter drop down, choose IP range
  • Enter the IP range of our subnet-a subnet
  • In protocols and ports, choose Specified protocols and ports.
  • Place a check in Other protocols, and type in "icmp"  {there is no port no. for ICMP}
ICMP  GcP propeties, In the targets dropdown menu, set to specified target tags if not already the default. In the target tags field, type "icmp-allow" and hit enter. In the source filter drop down, choose IP range Enter the IP range of our subnet-a subnet In protocols and ports, choose Specified protocols and ports. Place a check in Other protocols, and type in "icmp"  {there is no port no. for ICMP}


  • If you wish, again view the command line cross reference (may still be glitched for the network field, than close out and click create to create the rule)



Step 5: Now Let's test the firewall rule to validate.

  • Go to compute engine
  • Next to 'Instance-2' either write down or highlight/copy the internal IP address for instance-2 (in my case its 10.0.2.2)
instance Gcloud connect If you wish, again view the command line cross reference (may still be glitched for the network field, than close out and click create to create the rule)    Step 5: Now Let's test the firewall rule to validate. Go to compute engine Next to 'Instance-2' either write down or highlight/copy the internal IP address for instance-2 (in my case its 10.0.2.2)
  • SSH into 'Instance-1a' 
instace GCP SSH, Attempt to ping the instance by entering "ping internalIP". if its success, press Ctrl+C  to quit ping. Exit out of "instance-1a" SSH session, and now SSH into 'Instance-1b' and attempt to ping 'Instance-2' again. onse successfull exit from 'Instance-1b'. SSH into 'Instance-3', attempt to ping 'Instance-2' again. This time ping should not be successfull as we applied rule for traffic allow only from subnet-a.

  • Attempt to ping the instance by entering "ping internalIP". if its success, press Ctrl+C  to quit ping.
  • Exit out of "instance-1a" SSH session, and now SSH into 'Instance-1b' and attempt to ping 'Instance-2' again. onse successfull exit from 'Instance-1b'.
  • SSH into 'Instance-3', attempt to ping 'Instance-2' again. This time ping should not be successfull as we applied rule for traffic allow only from subnet-a.







No comments:
Write comments

Please do not enter spam links

Meet US

Services

More Services