Without taking the right precautions, you can run the risk of exposing your systems to new vulnerabilities. It's, therefore, key to control traffic in and out of your instances on Google Cloud Platform by creating firewall rules. In this codelab, you'll learn about Google Cloud Platform's firewall rules and how to apply them to Compute Engine VM instances.
What are firewall rules?
Google Cloud Platform firewall rules let you allow or deny traffic to and from your virtual machine (VM) instances based on a configuration you specify. Enabled GCP firewall rules are always enforced, protecting your instances regardless of their configuration and operating system, even if they have not started up.
Every VPC network functions as a distributed firewall. While firewall rules are defined at the network level, connections are allowed or denied on a per-instance basis. You can think of the GCP firewall rules as existing not only between your instances and other networks, but between individual instances within the same network.
What you'll build
- Two Compute Engine instances in different subnetworks
- Perform a network ping test
- Create and apply firewall rules using instance tags
You will be building the following architecture:
What you'll learn
- Characteristics of firewall rules
- How to apply firewall rules to instances using instance tags
- Best practices around firewall rules
What you'll need
- A Google Cloud Platform account
- Two Compute Engine instances from Lab 1 of this series
Self-paced environment setup
Remember the project ID, a unique name across all Google Cloud projects. It will be referred to in these codelabs as PROJECT_ID.
Next, you'll need to enable billing in the Cloud Console in order to use Google Cloud resources.
Running through this codelab shouldn't cost you more than a few dollars, but it could be more if you decide to use more resources or if you leave them running (see "cleanup" section at the end of this document).
New users of Google Cloud Platform are eligible for a $300 free trial.
Initialize your Project environment
Compute → Compute Engine → VM Instances
Once enabling the Compute Engine API completes, you will do most of the work from the Google Cloud Shell, a command line environment running in the Cloud. This Debian-based virtual machine is loaded with all the development tools you'll need (
git and others) and offers a persistent 5GB home directory. Open the Google Cloud Shell by clicking on the icon on the top right of the screen:
You can pick and choose different zones too. Learn more about zones in Regions & Zones documentation.
View existing firewall rules by heading to
Networking → VPC Network → Firewall Rules
Notice there are only firewall rules created for the Default Network.
We need to create firewall rules for our existing Compute instances in order to SSH into them since we did not specify any firewall rules when creating
Next, create a firewall rule allowing SSH access to tagged instances.
Stay on the firewall rules page. Click Create firewall rule.
Add the following specifications:
- Name: allow-ssh
- Network: custom-network1
- Direction of traffic: Ingress
- Action on match: allow
- Targets: Specified target tags
- Target tags: iperf-access
- Source IP ranges: 0.0.0.0/0
- Protocols and ports: Specified protocols and ports: tcp: 22
Let's apply tags to our two existing instances.
Head to the Compute Engine instance page by going to
Compute → Compute Engine → VM instances
Click on instance-1 and view the VM instance details. Click Edit.
Scroll down to the Network tags section and give it a tag called iperf-access.
Click Save at the bottom. Go back to the VM Instances page, and now repeat for instance-2 by clicking Edit and adding the same instance tag
Iperf is a commonly used network testing tool that can create TCP/UDP data streams and measure the throughput of the network that carries them. We'll use it to run a quick test between our instances in different subnets within
Head back to the Compute Engine instance page.
SSH into the two VMs you created from the last lab by clicking on the SSH button next to each instance listing.
You should see two SSH windows pop up.
In both SSH windows, install iperf with the following command:
sudo apt-get install iperf
Run an iperf test
instance-2, specify it is the iperf server by entering the following in the instance-2 SSH terminal:
In the instance-1 SSH window enter the following command, including the internal IP of
iperf -c [INSTANCE-2 INTERNAL IP]
It will hang because we have not implemented another firewall rule to allow communication between
instance-2! Terminate the command by entering Ctrl-z.
This time let's create the firewall rule using the Cloud Shell.
Make sure you are in your Cloud Shell and not your instance SSH sessions. Create a firewall rule by entering the following:
gcloud compute firewall-rules create iperf-access --allow tcp:5001 \ --source-ranges 0.0.0.0/0 \ --network custom-network1 \ --target-tags=iperf-access
Confirm it was created with the following:
gcloud compute firewall-rules list NAME NETWORK DIRECTION PRIORITY ALLOW DENY DISABLED allow-ssh custom-network1 INGRESS 1000 tcp:22 False default-allow-icmp default INGRESS 65534 icmp False default-allow-internal default INGRESS 65534 tcp:0-65535,udp:0-65535,icmp False default-allow-rdp default INGRESS 65534 tcp:3389 False default-allow-ssh default INGRESS 65534 tcp:22 False iperf-access custom-network1 INGRESS 1000 tcp:5001 False
Head back to your SSH window for
instance-2. Your iperf session should still be active. If it is not, run the following command again.
instance-1 SSH window, enter the following command, including the internal IP of
iperf -c [INSTANCE-2 INTERNAL IP]
You should see iperf establish a connection to
instance-2 and return an output of internal network performance between
You now know the basics of creating firewall rules on Google Cloud Platform.
What we've covered
- How instances are affected by firewall rules
- How to create a firewall rule via the console and Cloud Shell
- How to apply tags to firewall rules and instances
- How to run an iperf test between instances
- Learn more about firewall rules in the Firewall Rules documentation
- Learn about IP addresses in Lab 3
Delete Compute Engine instances with the following commands using the Cloud Shell.
gcloud compute instances delete instance-1 --zone us-central1-a The following instances will be deleted. Any attached disks configured to be auto-deleted will be deleted unless they are attached to any other instances or the `--keep-disks` flag is given and specifies them for keeping. Deleting a disk is irreversible and any data on the disk will be lost. - [instance-1] in [us-central1-a] Do you want to continue (Y/n)? y Deleted [https://www.googleapis.com/compute/v1/projects/ypc-demo/zones/us-central1-a/instances/instance-1].
gcloud compute instances delete instance-2 --zone europe-west1-d The following instances will be deleted. Any attached disks configured to be auto-deleted will be deleted unless they are attached to any other instances or the `--keep-disks` flag is given and specifies them for keeping. Deleting a disk is irreversible and any data on the disk will be lost. - [instance-2] in [europe-west1-d] Do you want to continue (Y/n)? y Deleted [https://www.googleapis.com/compute/v1/projects/ypc-demo/zones/europe-west1-d/instances/instance-2].
Delete the firewall rules with the following commands:
gcloud compute firewall-rules delete allow-ssh The following firewalls will be deleted: - [allow-ssh] Do you want to continue (Y/n)? y Deleted [https://www.googleapis.com/compute/v1/projects/vpc-demo-241520/global/firewalls/allow-ssh].
gcloud compute firewall-rules delete iperf-access The following firewalls will be deleted: - [iperf-access] Do you want to continue (Y/n)? y Deleted [https://www.googleapis.com/compute/v1/projects/vpc-demo-241520/global/firewalls/iperf-access].
Delete the subnetworks created with the following commands:
gcloud compute networks subnets delete subnet-us-central-192 --region us-central1 The following subnetworks will be deleted: - [subnet-us-central-192] in [us-central1] Do you want to continue (Y/n)? y Deleted [https://www.googleapis.com/compute/v1/projects/vpc-demo-241520/regions/us-central1/subnetworks/subnet-us-central-192].
gcloud compute networks subnets delete subnet-europe-west-192 --region europe-west1 The following subnetworks will be deleted: - [subnet-europe-west-192] in [europe-west1] Do you want to continue (Y/n)? y Deleted [https://www.googleapis.com/compute/v1/projects/vpc-demo-241520/regions/europe-west1/subnetworks/subnet-europe-west-192].
Delete the custom VPC with the following command:
gcloud compute networks delete custom-network1 The following networks will be deleted: - [custom-network1] Do you want to continue (Y/n)? y Deleted [https://www.googleapis.com/compute/v1/projects/vpc-demo-241520/global/networks/custom-network1].