Firewall
- Firewall is all about allowing and denying network traffic
- Corporate Firewall/Tradational firewall
- Google also has a virtual firewall which is defined at network level but is enforced for each instance
- No firewall means
- no ingress => no packets are allowed to communicate into GCP VM Instance
- full egress => all the packets will be allowed to communicate from GCP VM Instance
- Firewall has Rules, which managed external & internal access to resources
- Implied => deny all ingress
- Implied => Allow all egress
- Firewal Rule Components
- Direction: Ingress or Egress
- Target: GCP resources the rule applies to: Entire network, Target Tags, Service Account
- Source/Destination Filter: Incoming Sources, Outgoing Destination that the rule applies to
- Action: Allow or Deny
- Protocol/Port: Protocols and ports that are allowed/denied
- Priority: Priority to give overlapping/conflicting rules a winner (Lower the number higher the priority)
- The default firewall rules created by GCP for default vpc are as shown below
- Lets quickly create a virtual instance in default network with any linux os in us-central1
- Then create one more virtual machine in default network with any linux os in us-east1
- Now connect to vm1 using browser ssh session
- Vm1 which we created is able to ping internet and also vm2 using internal ip
Exercise
- Create a custom vpc with two subnets in us-central1 and us-east1
- Now create a vm in us-central1 and us-east1
- Try to connect to the vm created.
- We will not be able to login as default/implied firewall rule comes into play
- Now create a firewall rule which allows ssh traffic for the vm with tag webserver
- After this we should be able to login into web server
- Now lets create a firewall rule which allows ssh from webserver into appserver
- Create a tag for appserver