Setting up a virtual private cloud means managing the traffic accessing the network. This is precisely why GCP Firewall Policies exist. So what are they? What strategies need to be implemented? And how do you set them up? Find out the answers in this article.
What are GCP Firewall Policies?
Firewall Policies on GCP are designed to allow or deny a connection within a virtual machine instance. These rules can apply to one or more VPC networks, to one or more projects, to the organization as a whole or to an individual folder.
💡Good to know: as soon as a Firewall Policy is activated, it applies. In other words, it will protect your virtual machine instance, its operating system and its configuration, even if it hasn’t yet started up.💡
What are the different firewall strategies?
To simplify Firewall Policy management on GCP, you need to create firewall policies. In other words, group several rules together. As they are centralized, you’ll be able to update them more easily.
But beware: there are several strategies to choose from, depending on your needs:
- Hierarchical firewall strategies: the idea is to have a consistent set of rules for the whole company. Rules are grouped according to their importance to the organization.
- Global firewall rules: here, rules apply to several regions. In this case, you first apply a global strategy, which can then be applied to the various resources of the VPC network.
- Regional network firewall rules: in contrast, these firewall rules apply to a single VPC network. However, they can also be applied to all internal network resources.
What are the components of firewall rules?
While each firewall rule has its own specific features, there are a few points in common between the various GCP Firewall Policies. Not least in terms of their components. Here’s what you’ll find when defining a rule:
- Application: this enables you to activate or deactivate a rule. This is particularly useful for troubleshooting, testing or deployments requiring real-time modifications.
- Direction: this defines the resource to which the rule is attached (VPC network, hierarchical policy, etc.). However, there can only be one direction of connection (inbound or outbound).
- Priority: this is a number that defines the priority of a rule over others. The lower the number, the higher the priority.
Action: these are simply “allow” or “deny” actions (also known as Ingree or Egress traffic). You can also configure the “goto.next” action. - Target: this allows you to match the origins of network traffic of potential interest to a given firewall rule. The context changes according to the direction defined.
- Filter: like the source, the idea is to match the origins of network traffic.
- Ports and protocol: this is a combination of network protocols (such as TCP, UDP, ICMP) and ports to refine the selection criteria for a firewall rule.
- Logs: this is an option. The idea is to log connections corresponding to the rule in Cloud Logging.
How to set up firewall rules?
To create a firewall rule, you first need to define a VPC network and its components. Then, you can use various tools, such as the Google Cloud Console, Google Cloud CLI and the REST API.
And to help you implement an effective Firewall Policy strategy on GCP, here are a few best practices:
- The principle of least privilege: this involves blocking all traffic by default and only allowing specific traffic (depending on your needs).
- The hierarchical firewall strategy: this should enable you to block traffic that should not be authorized (whether at the level of the organization as a whole or of an individual folder).
- Authorization rules: these should be limited to specific virtual machines. In this case, we recommend that you specify the VM service account.
- IP addresses: as far as possible, limit rules based on IP addresses. This makes management more complex.
Firewall Insights: this tool enables you to check that firewall rules are being used as intended. - Firewall Policy logging: while this feature is very useful, it can also lead to additional costs. To reduce costs, activate logging sparingly (only when it’s really useful).
To learn more about best practices for managing firewall rules on GCP, it’s best to take a training course. Take a look at our training programs on DataScientest.
What are the specifics of Google Firewall Policies?
In addition to these best practices, there are a number of Google Cloud Platform features that can affect your connections (both incoming and outgoing). Here are a few things to bear in mind when creating your Firewall Policy on GCP:
- Certain types of traffic can be automatically blocked or restricted by Google. This is the case, for example, with incoming DHCP offers and acknowledgements, or external IP addresses.
- Communication between a VM instance and the metadata server is always authorized as long as it corresponds to the address 169.254.169.254.
- Each network has implicit Firewall Policies. However, these can be overridden by creating new rules.
- Each firewall rule applies to either an incoming or an outgoing connection (never both at the same time).
Things to remember
- GCP Firewall Policies allow you to allow or deny traffic within a virtual machine instance.
- You can set up hierarchical, global or regional firewall policies, depending on your needs.
- A firewall rule is made up of several components, such as application, direction, priority, action, target, filter, port, protocols and logs. You’ll need to define each of these components for your GCP Firewall Policy.
If you have any questions you’d like answered, don’t hesitate to make an appointment.
