Step-01: Introduction
Unlike “All Instances,” using Target Tags allows you to apply firewall rules only to VMs that carry specific tags.
This is a best practice for production because:
- You control which VMs receive traffic.
- You avoid exposing every VM in the VPC.
In this lab:
- Deploy VM with a webserver.
- Try to access it → fails (no firewall rule).
- Create firewall rule targeting tag = mywebserver.
- Apply the tag to the VM.
- Access again → works.
Step-02: Create VM Instance
Upload nginx-webserver.sh to Cloud Shell.
#!/bin/bash
sudo apt install -y telnet
sudo apt install -y nginx
sudo systemctl enable nginx
sudo chmod -R 755 /var/www/html
HOSTNAME=$(hostname)
sudo echo "<!DOCTYPE html> <html>
<body style='background-color:rgb(250, 210, 210);'>
<h1>Welcome to Latchu@DevOps - WebVM App1 </h1>
<p><strong>VM Hostname:</strong> $HOSTNAME</p>
<p><strong>VM IP Address:</strong> $(hostname -I)</p>
<p><strong>Application Version:</strong> V1</p>
<p>Google Cloud Platform - Demos</p>
</body></html>" | sudo tee /var/www/html/index.html
Create VM in custom subnet:
gcloud compute instances create myvm2-target-tags \
--zone=us-central1-a \
--machine-type=e2-micro \
--network-interface=subnet=mysubnet1 \
--metadata-from-file=startup-script=nginx-webserver.sh
Verify VM list:
gcloud compute instances list
Test before firewall rule:
telnet <EXTERNAL_IP> 80 # Should fail
curl <EXTERNAL_IP> # Should fail
Observation: App not reachable → blocked by implied ingress deny.
Step-03: Create Ingress Firewall Rule
Go to VPC Networks → vpc2-custom → FIREWALLS → ADD FIREWALL RULE.
- Name: fw-ingress-80-target-tags
- Description: Allow inbound port 80 for specified target tags
- Network: vpc2-custom
- Priority: 1000
- Direction: Ingress
- Action on match: Allow
- Targets: Specified target tags
- Target tags: mywebserver
- Source filter: IPv4 ranges
- Source IPv4 range: 0.0.0.0/0
- Protocols and ports: TCP → 80
Click Create.
Step-04: Apply Tags to VM and Access App
Add tag to VM:
gcloud compute instances add-tags myvm2-target-tags \
--zone us-central1-a \
--tags mywebserver
Verify tag attached:
gcloud compute instances describe myvm2-target-tags --zone=us-central1-a
Or check in VM details tab in Console.
Test after applying tag:
telnet <EXTERNAL_IP> 80 # Should connect
curl <EXTERNAL_IP> # Should return HTML page
Browser:
http://<EXTERNAL-IP>
Observation: Application now loads → firewall rule works because VM has correct tag.
Step-05: Cleanup
# Delete firewall rule
gcloud compute firewall-rules delete fw-ingress-80-target-tags
# Delete VM
gcloud compute instances delete myvm2-target-tags \
--zone=us-central1-a --delete-disks=all
âś… Key Learning:
- Target = All Instances: Broad, less secure, all VMs in VPC affected.
- Target = Tags: Granular, secure, only VMs with the tag are exposed.
- Best practice: Always use tags or service accounts to scope firewall rules in production.
Top comments (0)