Google Cloud VPC Firewall Policy – Apply Rules Across Multiple VPC Networks
In most cases, we create firewall rules inside each VPC network. But what if you want to apply a centralized firewall policy across multiple VPCs?
That’s where VPC Network Firewall Policies come in. With this feature, you can create one policy and attach it to multiple VPCs to enforce consistent rules across environments.
In this demo, we’ll:
- Launch VMs in two different VPCs (vpc1-auto and vpc2-custom)
- Create a network firewall policy that allows HTTP traffic (port 80)
- Apply the policy to both VPCs
- Verify that both VMs can serve applications over port 80
🔹 Step-01: Introduction
- VM1: In vpc1-auto (auto mode VPC)
- VM2: In vpc2-custom (custom mode VPC)
- Firewall Policy: fw-policy-allow-80-in-vpc1-and-vpc2
- Goal: Use a single firewall policy to allow port 80 access for both VMs
🔹 Step-02: Create VM Instances in vpc1-auto and vpc2-custom
We’ll deploy Nginx webservers on both VMs using a startup script.
nginx-webserver.sh
#!/bin/bash
sudo apt install -y telnet
sudo apt install -y nginx
sudo systemctl enable nginx
sudo chmod -R 755 /var/www/html
HOSTNAME=$(hostname)
sudo echo "<!DOCTYPE html> <html>
<body style='background-color:rgb(250, 210, 210);'>
<h1>Welcome to Latchu@DevOps - WebVM App1 </h1>
<p><strong>VM Hostname:</strong> $HOSTNAME</p>
<p><strong>VM IP Address:</strong> $(hostname -I)</p>
<p><strong>Application Version:</strong> V1</p>
<p>Google Cloud Platform - Demos</p>
</body></html>" | sudo tee /var/www/html/index.html
Create VMs:
# Set Project
gcloud config set project gcpdemos
# VM in vpc1-auto
gcloud compute instances create myvm6-vpc1-auto \
--zone=us-central1-a \
--machine-type=e2-micro \
--network-interface=subnet=vpc1-auto \
--metadata-from-file=startup-script=nginx-webserver.sh
# VM in vpc2-custom
gcloud compute instances create myvm6-vpc2-custom \
--zone=us-central1-a \
--machine-type=e2-micro \
--network-interface=subnet=mysubnet1 \
--metadata-from-file=startup-script=nginx-webserver.sh
🔍 Observation (Before Firewall Policy):
- HTTP access (port 80) → ❌ Blocked
- Because no firewall rule exists in either VPC
🔹 Step-03: Create Network Firewall Policy
Go to Network Security → Cloud NGFW → Firewall Policies → CREATE FIREWALL POLICY
- Policy name: fw-policy-allow-80-in-vpc1-and-vpc2
- Description: Allow port 80 in vpc1-auto and vpc2-custom
- Deployment scope: Global
Add Rule:
- Priority: 100
- Description: Allow HTTP rule for vpc1-auto and vpc2-custom
- Direction: Ingress
- Action on match: Allow
- Target type: All instances in the network
- Source: IPv4 → 0.0.0.0/0
- Protocols/Ports: TCP: 80
Associate Policy with VPCs:
- Click ASSOCIATE → select vpc1-auto and vpc2-custom
🔹 Step-04: Verify Application Access
# List VMs
gcloud compute instances list
# Test both VMs
telnet VM1_EXTERNAL_IP 80
telnet VM2_EXTERNAL_IP 80
curl VM1_EXTERNAL_IP
curl VM2_EXTERNAL_IP
🔍 Observation (After Firewall Policy):
- HTTP access (port 80) → ✅ Allowed
- Both VMs in different VPCs are accessible with one firewall policy
🔹 Step-05: Cleanup
# Delete VMs
gcloud compute instances delete myvm6-vpc1-auto --zone=us-central1-a
gcloud compute instances delete myvm6-vpc2-custom --zone=us-central1-a
# Delete firewall policy
# Note: Must remove association before deleting policy
🔹 Real-World Analogy
Think of this like a corporate IT team applying one central security policy across multiple office branches.
Instead of creating rules at each branch (VPC), they create one global policy and attach it everywhere.
✅ Summary
- VPC firewall rules are limited to a single VPC.
- Network firewall policies allow you to create centralized, reusable rules.
- You can enforce consistent ingress/egress controls across multiple VPCs.
Top comments (0)