Google Cloud Platform Firewall Rules
Google Cloud Platform Firewall Rules
GCP implements firewall rules at the VPC level, providing flexible control over traffic to Compute Engine instances hosting web servers. GCP firewall rules support advanced features like service accounts and tags for dynamic security policies.
Creating GCP firewall rules using gcloud:
# Create firewall rule for HTTPS
gcloud compute firewall-rules create allow-https \
--allow tcp:443 \
--source-ranges 0.0.0.0/0 \
--target-tags web-server \
--description "Allow HTTPS to web servers"
# Create firewall rule for HTTP
gcloud compute firewall-rules create allow-http \
--allow tcp:80 \
--source-ranges 0.0.0.0/0 \
--target-tags web-server \
--description "Allow HTTP to web servers"
# Restrict SSH access
gcloud compute firewall-rules create allow-ssh-admin \
--allow tcp:22 \
--source-ranges 10.0.0.0/8 \
--target-tags web-server \
--description "Allow SSH from admin network"
# Create rule using service accounts
gcloud compute firewall-rules create allow-internal-mysql \
--allow tcp:3306 \
--source-service-accounts [email protected] \
--target-service-accounts [email protected] \
--description "Allow web apps to connect to MySQL"
Implementing firewall rules with Terraform for infrastructure as code:
resource "google_compute_firewall" "web_server_firewall" {
name = "web-server-firewall"
network = google_compute_network.vpc_network.name
allow {
protocol = "tcp"
ports = ["80", "443"]
}
source_ranges = ["0.0.0.0/0"]
target_tags = ["web-server"]
}
resource "google_compute_firewall" "ssh_firewall" {
name = "ssh-admin-firewall"
network = google_compute_network.vpc_network.name
allow {
protocol = "tcp"
ports = ["22"]
}
source_ranges = ["10.0.0.0/8"]
target_tags = ["web-server"]
log_config {
metadata = "INCLUDE_ALL_METADATA"
}
}