Author: Seid Myadiyev
1.1 VPC Firewall Rules
This tutorial is adapted from the Web Age course https://www.webagesolutions.com/courses/WA3213-gcp-networking-and-security-for-algosec.
1.1 VPC Firewall Rules
Virtual Private Cloud (VPC) firewall rules apply to a given project and network. VPC firewall rules let you allow or deny connections to or from your virtual machine (VM) instances based on a configuration that you specify. Enabled VPC firewall rules are always enforced, protecting your instances regardless of their configuration and operating system, even if they have not started up. While firewall rules are defined at the network level, connections are allowed or denied on a per-instance basis. VPC firewall rules take effect not only between your instances and other networks but also between individual instances within the same network.
1.2 Firewall Rule Components
Each firewall rule consists of the following configuration components:
- The direction of connection: ingress rules apply to incoming connections from specified sources to Google Cloud targets, and egress rules apply to connections going to specified destinations from targets.
- A numerical priority, that determines whether the rule is applied. Only the highest priority (lowest priority number) rule whose other components match traffic is applied; conflicting rules with lower
- priorities are ignored.
- An action on match, either allow or deny, that determines whether the rule permits or blocks connections.
- The enforcement status of the firewall rule: You can enable and disable firewall rules without deleting them.
- A target defines the instances (including GKE clusters and App Engine flexible environment instances) to which the rule applies.
- A source filter for ingress rules or a destination filter for egress rules.
- The protocol (such as TCP, UDP, or ICMP) and destination port.
- A boolean logs option that logs connections that match the rule into Cloud Logging.
1.3 VPC Firewall Rule Specifications
VPC firewall rules have the following characteristics:
- Each firewall rule applies to incoming (ingress) or outgoing (egress) connection, not both.
- Firewall rules support IPv4 connections. IPv6 connections are also supported in VPC networks that have IPv6 enabled.
- Each firewall rule can contain either IPv4 or IPv6 ranges, but not both.
- Each firewall rule’s action is either allow or deny. The rule applies to connections as long as it is enforced.
- When you create a firewall rule, you must select a VPC network. While the rule is enforced at the instance level, its configuration is associated with a VPC network. This means that you cannot share firewall rules among VPC networks, including networks connected by VPC Network Peering or by using Cloud VPN tunnels.
- VPC firewall rules are stateful.
- When a connection is allowed through the firewall in either direction, return traffic matching this connection is also allowed. You cannot configure a firewall rule to deny associated response traffic.
1.4 VPC Firewall Rule Priority
- The firewall rule priority is an integer from 0 to 65535, inclusive. Lower integers indicate higher priorities. If you do not specify a priority when creating a rule, it is assigned a priority of 1000.
- A rule with a deny action overrides another with an allow action only if the two rules have the same priority.
- Using relative priorities, it is possible to build allow rules that override deny rules and deny rules that override allow rules.
- Rules with the same priority and the same action have the same result. However, the rule that is used during the evaluation is indeterminate.
1.5 Action on Match
The action component of a firewall rule determines whether it permits or blocks traffic, subject to the other components of the rule:
- An allow action permits connections that match the other specified components.
- A deny action blocks connections that match the other specified components.
1.6 Rule Enforcement
- You can choose whether a firewall rule is enforced by setting its state to enabled or disabled. You set the enforcement state when you create a rule or when you update a rule.
- If you don’t set an enforcement state when you create a new firewall rule, the firewall rule is automatically enabled.
1.7 Target Parameter
The target parameter always identifies Google Cloud instances, but whether a target is a destination of traffic or a source for traffic depends on the direction of the rule.
You specify a target by using one of the following options:
- All instances in the network. The firewall rule applies to all instances in the network.
- Instances by target tags. The firewall rule applies only to instances with a matching network tag.
- Instances by target service accounts. The firewall rule applies only to instances that use a specific service account.