DEV Community

Cover image for Part-53: 🚀Google Cloud VPC Firewall Rules with Target as Service Account
Latchu@DevOps
Latchu@DevOps

Posted on

Part-53: 🚀Google Cloud VPC Firewall Rules with Target as Service Account

#googlecloud #virtualmachine #cloud #tutorial

Step-01: Introduction

  • Firewall Ingress Rule: Target = Service Account.
  • This allows you to apply firewall rules to all VM instances that run with a specific service account, regardless of tags or names.
  • Useful when managing access based on workload identity instead of static tags.

Step-02: Create VM Instance

Upload nginx-webserver.sh startup script.

#!/bin/bash
sudo apt install -y telnet
sudo apt install -y nginx
sudo systemctl enable nginx
sudo chmod -R 755 /var/www/html
HOSTNAME=$(hostname)
sudo echo "<!DOCTYPE html> <html> 
<body style='background-color:rgb(250, 210, 210);'> 
<h1>Welcome to Latchu@DevOps - WebVM App1 </h1> 
<p><strong>VM Hostname:</strong> $HOSTNAME</p> 
<p><strong>VM IP Address:</strong> $(hostname -I)</p> 
<p><strong>Application Version:</strong> V1</p> 
<p>Google Cloud Platform - Demos</p> 
</body></html>" | sudo tee /var/www/html/index.html
Enter fullscreen mode Exit fullscreen mode

Create VM in custom subnet:

gcloud compute instances create myvm3-service-accounts \
    --zone=us-central1-a \
    --machine-type=e2-micro \
    --network-interface=subnet=mysubnet1 \
    --metadata-from-file=startup-script=nginx-webserver.sh
Enter fullscreen mode Exit fullscreen mode

Verify instance:

gcloud compute instances list
Enter fullscreen mode Exit fullscreen mode

Test access before firewall rule:

telnet <EXTERNAL_IP> 80   # Should fail
curl <EXTERNAL_IP>        # Should fail
Enter fullscreen mode Exit fullscreen mode

f1

Observation: Access denied → no ingress rule for port 80 yet.

Step-03: Create Ingress Firewall Rule

Go to VPC Networks → vpc2-custom → FIREWALLS → ADD FIREWALL RULE.

f2

  • Name: fw-ingress-80-service-accounts
  • Description: Allow inbound port 80 for all instances with specified service account
  • Network: vpc2-custom
  • Priority: 1000
  • Direction: Ingress
  • Action on match: Allow
  • Targets: Specified service account
  • Service account scope: In this project
  • Target service account: Compute Engine default service account (or any custom SA)
  • Source filter: IPv4 ranges
  • Source IPv4 range: 0.0.0.0/0
  • Protocols and ports: TCP → 80

f3

Click Create.

f4

Step-04: Access Application Deployed in VM

Re-check VM list:

gcloud compute instances list
Enter fullscreen mode Exit fullscreen mode

Test access after firewall rule:

telnet <EXTERNAL_IP> 80   # Should connect
curl <EXTERNAL_IP>        # Should display HTML page
Enter fullscreen mode Exit fullscreen mode

Browser:

http://<EXTERNAL-IP>
Enter fullscreen mode Exit fullscreen mode

f5

Observation: App is accessible because VM is using the service account that matches the firewall rule.

Step-05: Cleanup 

# Delete firewall rule
gcloud compute firewall-rules delete fw-ingress-80-service-accounts

# Delete VM
gcloud compute instances delete myvm3-service-accounts \
    --zone=us-central1-a --delete-disks=all
Enter fullscreen mode Exit fullscreen mode

f6

✅ Key Learning:

  • All Instances = quick & broad but insecure.
  • Target Tags = better for grouping workloads by function.
  • Service Accounts = identity-based, more dynamic, best for cloud-native environments where workloads inherit service accounts automatically.

Top comments (0)