DEV Community

Cover image for Part-55: Google Cloud VPC Firewall Rules with Egress as Deny Rule
Latchu@DevOps
Latchu@DevOps

Posted on

Part-55: Google Cloud VPC Firewall Rules with Egress as Deny Rule

#googlecloud #cloud #virtualmachine #tutorial

Google Cloud VPC Firewall Rules – Egress Deny Rule

By default, VM instances in Google Cloud can send outbound traffic (egress) to the internet unless explicitly restricted. In this demo, we’ll configure an egress deny firewall rule to block specific outbound traffic.

This is useful when you want to prevent workloads from reaching certain external services (for compliance, security, or cost reasons).

🔹 Step-01: Introduction

  • Firewall Rule Type: Egress Deny Rule
  • Objective: Deny outbound traffic from VM(s) to a specific destination (website or IP range).
  • Use Case: Restrict servers from accessing external sites (like GitHub, social media, or specific domains).

🔹 Step-02: Create VM Instance

We’ll create a VM (myvm5-egress) and test outbound connectivity.

# Set Project 
gcloud config set project gcpdemos

# Create VM in mysubnet1 
gcloud compute instances create myvm5-egress \
    --zone=us-central1-a \
    --machine-type=e2-micro \
    --network-interface=subnet=mysubnet1 

# List VMs
gcloud compute instances list   

# Connect to VM
gcloud compute ssh --zone "us-central1-a" "myvm5-egress" --project "gcpdemos"

# Install packages for testing
sudo apt install -y dnsutils
sudo apt install -y telnet
Enter fullscreen mode Exit fullscreen mode

f1

Run Tests Before Firewall Rule

# Resolve domain to IPs
nslookup stacksimplify.com

# Connectivity tests
telnet stacksimplify.com 80
telnet stacksimplify.com 443
ping stacksimplify.com
Enter fullscreen mode Exit fullscreen mode

🔍 Observation (Before Rule):

  • Telnet to ports 80 and 443 → ✅ Successful
  • ICMP (ping) → ✅ Successful

🔹 Step-03: Create Egress Deny Firewall Rule

Now we’ll block all outbound traffic from VMs in the VPC to stacksimplify.com.

f2

f3

  • Name: fw-egress-deny-80-443-icmp
  • Description: Deny outbound to destination stacksimplify.com on port 80, 443, and ICMP
  • Network: vpc2-custom
  • Priority: 1000
  • Direction: Egress
  • Action: Deny
  • Targets: All Instances in the network
  • Destination Filter: 99.84.160.0/24 (from nslookup stacksimplify.com)
  • Protocols/Ports: TCP: 80, 443; Other: ICMP

f4

🔹 Step-04: Perform Tests After Firewall Rule

Run the same commands again:

telnet stacksimplify.com 80
telnet stacksimplify.com 443
ping stacksimplify.com
Enter fullscreen mode Exit fullscreen mode

🔍 Observation (After Rule):

Telnet to ports 80 and 443 → ❌ Failed

ICMP (ping) → ❌ Failed

Outbound traffic is now blocked as expected.

🔹 Step-05: Cleanup 

# Delete firewall rule
gcloud compute firewall-rules delete fw-egress-deny-80-443-icmp

# Delete VM
gcloud compute instances delete myvm5-egress --zone=us-central1-a
Enter fullscreen mode Exit fullscreen mode

🔹 Real-World Analogy

  • Think of egress deny like a company firewall blocking employees from visiting certain websites.
  • Without rules → employees (VMs) can browse anywhere.
  • With egress deny → access to “restricted sites” (like social media, streaming, or specific IPs) is blocked.

✅ Summary

  • By default, Google Cloud allows outbound traffic.
  • Egress deny firewall rules let you block unwanted traffic to specific destinations.
  • This is essential for security, compliance, and governance in cloud environments.

Top comments (0)