In this demo, we will learn how to configure Google Cloud VPC Firewall Rules using Ingress with Destination Filter.
By default, when you create VM instances in a custom VPC, they are not accessible from the internet unless you explicitly allow traffic via firewall rules. Here, we’ll explore how to use a destination filter so that traffic only reaches specific VM instances.
🔹 Step-01: Introduction
Firewall Rule Type: Ingress with Destination Filter
Objective: Allow traffic only to specific VM(s) inside the VPC based on their destination IP.
Use Case: This helps when you want to expose only one VM to the internet while keeping others in the same subnet blocked.
🔹 Step-02: Create Two VM Instances
We’ll create two VM instances (VM1 & VM2) in the same subnet (mysubnet1) and deploy a simple nginx web server using a startup script.
nginx-webserver.sh
#!/bin/bash
sudo apt install -y telnet
sudo apt install -y nginx
sudo systemctl enable nginx
sudo chmod -R 755 /var/www/html
HOSTNAME=$(hostname)
sudo echo "<!DOCTYPE html> <html>
<body style='background-color:rgb(250, 210, 210);'>
<h1>Welcome to Latchu@DevOps - WebVM App1 </h1>
<p><strong>VM Hostname:</strong> $HOSTNAME</p>
<p><strong>VM IP Address:</strong> $(hostname -I)</p>
<p><strong>Application Version:</strong> V1</p>
<p>Google Cloud Platform - Demos</p>
</body></html>" | sudo tee /var/www/html/index.html
Commands to create VMs
# Set Project
gcloud config set project gcpdemos
# Create VM1
gcloud compute instances create myvm1-destination1 \
--zone=us-central1-a \
--machine-type=e2-micro \
--network-interface=subnet=mysubnet1 \
--metadata-from-file=startup-script=nginx-webserver.sh
# Create VM2
gcloud compute instances create myvm2-destination2 \
--zone=us-central1-a \
--machine-type=e2-micro \
--network-interface=subnet=mysubnet1 \
--metadata-from-file=startup-script=nginx-webserver.sh
🔍 Observation:
Both VM1 and VM2 are up, but HTTP (port 80) traffic will fail since no firewall rule exists yet.
🔹 Step-03: Create Firewall Rule with Destination Filter
Now, we’ll create a firewall rule to allow HTTP traffic only to VM1 (using its internal IP).
Firewall Rule Configuration
- Name: fw-ingress-80-destination-filter
- Network: vpc2-custom
- Priority: 1000
- Direction: Ingress
- Action: Allow
- Targets: All instances in the network
- Source: 0.0.0.0/0 (anywhere on internet)
- Destination filter: VM1_INTERNAL_IP/32 (example: 10.225.0.6/32)
- Protocols/Ports: TCP:80
- Create Rule
🔹 Step-04: Test the Firewall Rule
âś… Test VM1
telnet VM1_EXTERNAL_IP 80
curl VM1_EXTERNAL_IP
- Works successfully.
- Browser access: http:// → ✅ Page loads.
❌ Test VM2
telnet VM2_EXTERNAL_IP 80
curl VM2_EXTERNAL_IP
- Fails.
- Browser access: http:// → ❌ Page not accessible.
🔍 Observation:
- VM1 is accessible because its IP was allowed in the destination filter.
- VM2 is blocked because its IP was not included in the firewall rule.
🔹 Step-05: Cleanup
Once testing is done, delete the resources:
# Delete firewall rule
gcloud compute firewall-rules delete fw-ingress-80-destination-filter
# Delete VM Instances
gcloud compute instances delete myvm1-destination1 --zone=us-central1-a --delete-disks=all
gcloud compute instances delete myvm2-destination2 --zone=us-central1-a --delete-disks=all
Real-World Analogy
- Think of the destination filter like a VIP entry pass at a concert hall:
- Everyone can try to enter (source = 0.0.0.0/0).
- But the bouncer (firewall) only lets you sit in row A, seat 5 (VM1).
- Even though row A seat 6 (VM2) is in the same hall, you can’t sit there unless another pass (firewall rule) is issued.
âś… Summary
- GCP Firewall rules can filter traffic not just by source, but also by destination.
- Using destination filters, we can tightly control which VM(s) in a subnet are exposed.
- This adds an extra security layer in multi-VM environments.
Top comments (0)