DEV Community

Cover image for Part-50: 🔥Google Cloud Networking – VPC Firewall Rules Components Explained
Latchu@DevOps
Latchu@DevOps

Posted on

Part-50: 🔥Google Cloud Networking – VPC Firewall Rules Components Explained

#googlecloud #vpc #cloud #tutorial

When you create VM instances in Google Cloud, they sit inside a Virtual Private Cloud (VPC) network. By default, VPC firewall rules decide which traffic is allowed in (ingress) and out (egress) of your VMs.

Let’s break down everything you need to know about Firewall Rules in GCP 👇

✅ What are VPC Firewall Rules?

  • Firewall rules let you allow or deny connections to or from VM instances in your VPC.
  • Rules can apply to VMs in a single VPC or across multiple VPCs (using firewall policies).
  • They work at the network interface level, meaning they control how traffic flows in/out of VM NICs.

✅ Types of Firewall Rules

  • Ingress Rules → Control inbound traffic (packets entering a VM).
  • Egress Rules → Control outbound traffic (packets leaving a VM).

🔹 Google Cloud VPC Firewall Rule – Components (with Examples)

1. Direction of Traffic

Ingress (Inbound): Traffic entering a VM.

Example: A user from the internet accessing your VM via port 80 (HTTP).

Egress (Outbound): Traffic leaving a VM.

Example: Your VM connecting to an external database or downloading updates.

2. Priority

Lower numbers = higher priority.

Example:

  • Rule-1: Deny SSH (22), priority 200
  • Rule-2: Allow SSH (22), priority 100

→ Rule-2 wins because 100 < 200, so SSH is allowed.

3. Action on Match

  • Allow: Permits the traffic.

Example: Allow HTTP (tcp:80) so that users can open your website.

  • Deny: Blocks the traffic.

Example: Deny RDP (tcp:3389) from the internet for security.

4. Target

  • Defines which VMs the rule applies to.

Example: Apply “Allow SSH” only to VMs with tag = admin-access. Other VMs remain blocked.

Target Types

  1. Default target - all instances in the VPC network: Firewall rule applies to all instances in the VPC network.
  2. Instances by target network tags: firewall rule applies only to instances in the VPC network with a matching network tag.
  3. Instances by target service accounts: firewall rule applies only to instances in the VPC network that use a specific service account

5. Source (for Ingress)

  • Defines where inbound traffic is coming from.

Example: Allow SSH (tcp:22) only from office IP 203.0.113.10 instead of allowing the whole internet (0.0.0.0/0).

6. Source (for Egress)

  • Usually defaulted to the VM itself (not often customized).

Example: If needed, allow traffic only when the VM uses a specific service account.

7. Destination (for Egress)

  • Defines where outbound traffic can go.

Example: Allow VM to send traffic only to internal database subnet 10.10.0.0/24, block internet access.

8. Protocol and Ports

  • Restricts communication by protocol/port.

Example:

tcp:443 → Allow only HTTPS traffic
udp:53 → Allow DNS queries
tcp:80-90 → Allow a range of web ports
Enter fullscreen mode Exit fullscreen mode

9. Enforcement Status

  • You can enable/disable a firewall rule without deleting it.

Example: During maintenance, temporarily enable SSH rule, then disable it after work is done.

✅ Implied Firewall Rules in GCP

GCP automatically provides default firewall behavior through implied rules:

🔹 Implied Egress Rule

  • By default, all outbound traffic is allowed.
  • Rule: 
Action → Allow
Destination → 0.0.0.0/0 (IPv4), ::/0 (IPv6)
Priority → 65536 (lowest priority)
Enter fullscreen mode Exit fullscreen mode
  • Effect: VM instances can connect to the internet using their public IP or via Cloud NAT.

👉 Example: If your VM tries to download updates from the internet, it works unless you override with a higher-priority egress rule.

🔹 Implied Ingress Rule

  • By default, all inbound traffic is denied.
  • Rule: 
Action → Deny
Source → 0.0.0.0/0
Priority → 65536
Enter fullscreen mode Exit fullscreen mode
  • Effect: Nobody can access your VM from the internet until you explicitly allow ingress traffic.

👉 Example: To SSH into a VM, you must create an ingress rule that allows tcp:22 from your IP.

Google Cloud VPC Firewall Rules - Best Practices

Implement least-privilege

  • Block all traffic by default and allow the specific traffic you need
  • In short, limit the firewall rule to protocol and port that you need

Allow Rules

  • For allow rules, restrict them to specific VMs by specifying service account of the VMs

Limit Rules based on IP address

  • Try to minimize the per IP address firewall rules
  • Try to use IP Ranges, so tracking of rules will be easy in long run and good for compliance and auditing purpose

Enable Firewall Rules Logging

  • Enable logging to verify that firewall rules are being used in the intended way
  • This setting will incur additional costs and using it selectively is recommended

✅ Real-World Analogy

Think of Firewall Rules like security guards at a building:

  • Ingress Rule = Who is allowed to enter the building.
  • Egress Rule = Where people are allowed to go once they leave.
  • Priority = Which guard’s instruction is followed first.
  • Implied Rules = Default company policy → “Nobody comes in unless we allow, everyone can go out unless restricted.”

🔑 Summary

  • Firewall rules define allow/deny for ingress/egress.
  • Rules have components: direction, priority, targets, source/destination, protocol/ports, enforcement.
  • Implied rules → outbound open, inbound denied by default.
  • Always define explicit rules for security and auditing.

Top comments (0)