DEV Community

Cover image for Part-51: 🚀To Configure VPC Firewall Rules with Target All Instances in GCP Cloud
Latchu@DevOps
Latchu@DevOps

Posted on

Part-51: 🚀To Configure VPC Firewall Rules with Target All Instances in GCP Cloud

#googlecloud #cloud #virtualmachine #tutorial

Step-01: Introduction

  • By default, Ingress traffic is denied in GCP VPC (implied rule).
  • If you deploy a VM with a webserver on port 80 (HTTP), it won’t be reachable from the internet until you explicitly allow it with a firewall ingress rule.
  • In this lab, we’ll:
  1. Deploy a VM with Nginx.
  2. Try to access it → fails (no firewall rule).
  3. Create an Ingress firewall rule with target = All Instances.
  4. Try again → works.

Step-02: Create VM Instance

Upload nginx-webserver.sh (startup script) to Cloud Shell.

#!/bin/bash
sudo apt install -y telnet
sudo apt install -y nginx
sudo systemctl enable nginx
sudo chmod -R 755 /var/www/html
HOSTNAME=$(hostname)
sudo echo "<!DOCTYPE html> <html> 
<body style='background-color:rgb(250, 210, 210);'> 
<h1>Welcome to Latchu@DevOps - WebVM App1 </h1> 
<p><strong>VM Hostname:</strong> $HOSTNAME</p> 
<p><strong>VM IP Address:</strong> $(hostname -I)</p> 
<p><strong>Application Version:</strong> V1</p> 
<p>Google Cloud Platform - Demos</p> 
</body></html>" | sudo tee /var/www/html/index.html
Enter fullscreen mode Exit fullscreen mode

Create VM:

f1

gcloud compute instances create myvm1-allinstances \
    --zone=us-central1-a \
    --machine-type=e2-micro \
    --network-interface=subnet=mysubnet1 \
    --metadata-from-file=startup-script=nginx-webserver.sh
Enter fullscreen mode Exit fullscreen mode

Verify:

gcloud compute instances list
Enter fullscreen mode Exit fullscreen mode
  • Confirm VM is in vpc2-custom → mysubnet1.
  • Note Internal and External IP.

f2

Test before firewall rule:

telnet <EXTERNAL_IP> 80   # Should fail
curl <EXTERNAL_IP>        # Should fail
Enter fullscreen mode Exit fullscreen mode

f3

  • Observation: Application not reachable (blocked by implied ingress rule).

Step-03: Create Ingress Firewall Rule

Go to VPC Networks → vpc2-custom → FIREWALLS → ADD FIREWALL RULE.

f4

  • Name: fw-ingress-80-allinstances
  • Description: Allow inbound port 80 for all instances in the network
  • Network: vpc2-custom
  • Priority: 1000
  • Direction of traffic: Ingress
  • Action on match: Allow
  • Targets: All instances in the network
  • Source filter: IPv4 ranges
  • Source IPv4 range: 0.0.0.0/0
  • Protocols and ports: TCP → 80

f5

f6

Click Create.

f7

Step-04: Access Application

Verify VM list again:

gcloud compute instances list
Enter fullscreen mode Exit fullscreen mode

Test after firewall rule:

telnet <EXTERNAL_IP> 80   # Should connect
curl <EXTERNAL_IP>        # Should return HTML page
Enter fullscreen mode Exit fullscreen mode

Browser test:

http://<EXTERNAL-IP>
Enter fullscreen mode Exit fullscreen mode

f8

Step-05: Cleanup 

# Delete firewall rule
gcloud compute firewall-rules delete fw-ingress-80-allinstances 

# Delete VM
gcloud compute instances delete myvm1-allinstances --zone=us-central1-a --delete-disks=all
Enter fullscreen mode Exit fullscreen mode

✅ Key Learning:

  • Without a firewall rule → Ingress traffic is denied by default.
  • With Target = All Instances → Every VM in the VPC can receive traffic on the allowed port.
  • For production, it’s better to use tags or service accounts instead of “all instances” to limit exposure.

Top comments (0)