Firewall

• Firewall is all about allowing and denying network traffic
• Corporate Firewall/Tradational firewall
• Google also has a virtual firewall which is defined at network level but is enforced for each instance
• No firewall means
  • no ingress => no packets are allowed to communicate into GCP VM Instance
  • full egress => all the packets will be allowed to communicate from GCP VM Instance
• Firewall has Rules, which managed external & internal access to resources
• Implied => deny all ingress
• Implied => Allow all egress
• Firewal Rule Components
  • Direction: Ingress or Egress
  • Target: GCP resources the rule applies to: Entire network, Target Tags, Service Account
  • Source/Destination Filter: Incoming Sources, Outgoing Destination that the rule applies to
  • Action: Allow or Deny
  • Protocol/Port: Protocols and ports that are allowed/denied
  • Priority: Priority to give overlapping/conflicting rules a winner (Lower the number higher the priority)
• The default firewall rules created by GCP for default vpc are as shown below
• Lets quickly create a virtual instance in default network with any linux os in us-central1
• Then create one more virtual machine in default network with any linux os in us-east1
• Now connect to vm1 using browser ssh session
• Vm1 which we created is able to ping internet and also vm2 using internal ip

Exercise

• Create a custom vpc with two subnets in us-central1 and us-east1
• Now create a vm in us-central1 and us-east1
• Try to connect to the vm created.
• We will not be able to login as default/implied firewall rule comes into play
• Now create a firewall rule which allows ssh traffic for the vm with tag webserver
• After this we should be able to login into web server
• Now lets create a firewall rule which allows ssh from webserver into appserver
  • Create a tag for appserver