Spotted a bug? Have a great idea? Help us make google.dev great!

Without taking the right precautions, you can run the risk of exposing your systems to new vulnerabilities. It's, therefore, key to control traffic in and out of your instances on Google Cloud Platform by creating firewall rules. In this codelab, you'll learn about Google Cloud Platform's firewall rules and how to apply them to Compute Engine VM instances.

What are firewall rules?

Google Cloud Platform firewall rules let you allow or deny traffic to and from your virtual machine (VM) instances based on a configuration you specify. Enabled GCP firewall rules are always enforced, protecting your instances regardless of their configuration and operating system, even if they have not started up.

Every VPC network functions as a distributed firewall. While firewall rules are defined at the network level, connections are allowed or denied on a per-instance basis. You can think of the GCP firewall rules as existing not only between your instances and other networks, but between individual instances within the same network.

What you'll build

  • Two Compute Engine instances in different subnetworks
  • Perform a network ping test
  • Create and apply firewall rules using instance tags

You will be building the following architecture:

What you'll learn

  • Characteristics of firewall rules
  • How to apply firewall rules to instances using instance tags
  • Best practices around firewall rules

What you'll need

  • A Google Cloud Platform account
  • Two Compute Engine instances from Lab 1 of this series

Self-paced environment setup

If you don't already have a Google Account (Gmail or Google Apps), you must create one. Sign-in to Google Cloud Platform console (console.cloud.google.com) and create a new project:

Remember the project ID, a unique name across all Google Cloud projects. It will be referred to in these codelabs as PROJECT_ID.

Next, you'll need to enable billing in the Cloud Console in order to use Google Cloud resources.

Running through this codelab shouldn't cost you more than a few dollars, but it could be more if you decide to use more resources or if you leave them running (see "cleanup" section at the end of this document).

New users of Google Cloud Platform are eligible for a $300 free trial.

Initialize your Project environment

Compute → Compute Engine → VM Instances

Once enabling the Compute Engine API completes, you will do most of the work from the Google Cloud Shell, a command line environment running in the Cloud. This Debian-based virtual machine is loaded with all the development tools you'll need (gcloud, git and others) and offers a persistent 5GB home directory. Open the Google Cloud Shell by clicking on the icon on the top right of the screen:

You can pick and choose different zones too. Learn more about zones in Regions & Zones documentation.

View existing firewall rules by heading to

Networking → VPC Network → Firewall Rules

Notice there are only firewall rules created for the Default Network.

We need to create firewall rules for our existing Compute instances in order to SSH into them since we did not specify any firewall rules when creating custom-network1.

Next, create a firewall rule allowing SSH access to tagged instances.

Stay on the firewall rules page. Click Create firewall rule.

Add the following specifications:

  • Name: allow-ssh
  • Network: custom-network1
  • Direction of traffic: Ingress
  • Action on match: allow
  • Targets: Specified target tags
  • Target tags: iperf-access
  • Source IP ranges: 0.0.0.0/0
  • Protocols and ports: Specified protocols and ports: tcp: 22

Let's apply tags to our two existing instances.

Head to the Compute Engine instance page by going to

Compute → Compute Engine → VM instances

Click on instance-1 and view the VM instance details. Click Edit.

Scroll down to the Network tags section and give it a tag called iperf-access.

Click Save at the bottom. Go back to the VM Instances page, and now repeat for instance-2 by clicking Edit and adding the same instance tag iperf-access.

Iperf

Iperf is a commonly used network testing tool that can create TCP/UDP data streams and measure the throughput of the network that carries them. We'll use it to run a quick test between our instances in different subnets within custom-network1.

Install iperf

Head back to the Compute Engine instance page.

SSH into the two VMs you created from the last lab by clicking on the SSH button next to each instance listing.

You should see two SSH windows pop up.

In both SSH windows, install iperf with the following command:

sudo apt-get install iperf

Run an iperf test

In instance-2, specify it is the iperf server by entering the following in the instance-2 SSH terminal:

iperf -s

In the instance-1 SSH window enter the following command, including the internal IP of instance-2:

iperf -c [INSTANCE-2 INTERNAL IP]

It will hang because we have not implemented another firewall rule to allow communication between instance-1 and instance-2! Terminate the command by entering Ctrl-z.

This time let's create the firewall rule using the Cloud Shell.

Make sure you are in your Cloud Shell and not your instance SSH sessions. Create a firewall rule by entering the following:

gcloud compute firewall-rules create iperf-access --allow tcp:5001 \
      --source-ranges 0.0.0.0/0 \
      --network custom-network1 \
      --target-tags=iperf-access

Confirm it was created with the following:

gcloud compute firewall-rules list

NAME                         NETWORK          DIRECTION  PRIORITY  ALLOW                         DENY  DISABLED
allow-ssh                    custom-network1  INGRESS    1000      tcp:22                              False
default-allow-icmp           default          INGRESS    65534     icmp                                False
default-allow-internal       default          INGRESS    65534     tcp:0-65535,udp:0-65535,icmp        False
default-allow-rdp            default          INGRESS    65534     tcp:3389                            False
default-allow-ssh            default          INGRESS    65534     tcp:22                              False
iperf-access                 custom-network1  INGRESS    1000      tcp:5001                            False

Head back to your SSH window for instance-2. Your iperf session should still be active. If it is not, run the following command again.

iperf -s

In the instance-1 SSH window, enter the following command, including the internal IP of instance-2:

iperf -c [INSTANCE-2 INTERNAL IP]

You should see iperf establish a connection to instance-2 and return an output of internal network performance between instance-1 and instance-2!

You now know the basics of creating firewall rules on Google Cloud Platform.

What we've covered

  • How instances are affected by firewall rules
  • How to create a firewall rule via the console and Cloud Shell
  • How to apply tags to firewall rules and instances
  • How to run an iperf test between instances

Next Steps

Delete Compute Engine instances with the following commands using the Cloud Shell.

gcloud compute instances delete instance-1 --zone us-central1-a

The following instances will be deleted. Any attached disks configured
 to be auto-deleted will be deleted unless they are attached to any
other instances or the `--keep-disks` flag is given and specifies them
 for keeping. Deleting a disk is irreversible and any data on the disk
 will be lost.
 - [instance-1] in [us-central1-a]
Do you want to continue (Y/n)?  y
Deleted [https://www.googleapis.com/compute/v1/projects/ypc-demo/zones/us-central1-a/instances/instance-1].
gcloud compute instances delete instance-2 --zone europe-west1-d

The following instances will be deleted. Any attached disks configured
 to be auto-deleted will be deleted unless they are attached to any
other instances or the `--keep-disks` flag is given and specifies them
 for keeping. Deleting a disk is irreversible and any data on the disk
 will be lost.
 - [instance-2] in [europe-west1-d]
Do you want to continue (Y/n)?  y
Deleted [https://www.googleapis.com/compute/v1/projects/ypc-demo/zones/europe-west1-d/instances/instance-2].

Delete the firewall rules with the following commands:

gcloud compute firewall-rules delete allow-ssh

The following firewalls will be deleted:
 - [allow-ssh]
Do you want to continue (Y/n)?  y
Deleted [https://www.googleapis.com/compute/v1/projects/vpc-demo-241520/global/firewalls/allow-ssh].
gcloud compute firewall-rules delete iperf-access

The following firewalls will be deleted:
 - [iperf-access]
Do you want to continue (Y/n)?  y
Deleted [https://www.googleapis.com/compute/v1/projects/vpc-demo-241520/global/firewalls/iperf-access].

Delete the subnetworks created with the following commands:

gcloud compute networks subnets delete subnet-us-central-192 --region us-central1

The following subnetworks will be deleted:
 - [subnet-us-central-192] in [us-central1]
Do you want to continue (Y/n)?  y
Deleted [https://www.googleapis.com/compute/v1/projects/vpc-demo-241520/regions/us-central1/subnetworks/subnet-us-central-192].
gcloud compute networks subnets delete subnet-europe-west-192 --region europe-west1

The following subnetworks will be deleted:
 - [subnet-europe-west-192] in [europe-west1]
Do you want to continue (Y/n)?  y
Deleted [https://www.googleapis.com/compute/v1/projects/vpc-demo-241520/regions/europe-west1/subnetworks/subnet-europe-west-192].

Delete the custom VPC with the following command:

gcloud compute networks delete custom-network1

The following networks will be deleted:
 - [custom-network1]
Do you want to continue (Y/n)?  y
Deleted [https://www.googleapis.com/compute/v1/projects/vpc-demo-241520/global/networks/custom-network1].