Used Google Compute Engine documentations:
Each firewall rule consists of the following configuration components:
0.0 Priority
From 0 (highest priority) to 65535 (lowest priority)
- INGRESS rules apply to incoming connections
FROM specified SOURCES
TO targets
- EGRESS rules apply to traffic going
TO specified DESTINATIONS
FROM targets
Traffic from VM1 to VM2 can be controlled using either of these firewall rules:
An ingress rule with a target of VM2 and a source of VM1.
An egress rule with a target of VM1 and a destination of VM2.
See "0.3 Target" below for the definition of what a target is.
0.2 Action
-
allow: permit traffic
-
deny: block traffic
0.3 Target
- All instances in the VPC network
- Instances by service account
- Instances by network tag
Again,
ingressrules apply to incoming connections from specified sources to GCP targets, andegressrules apply to traffic going to specified destinations from targets.
For INGRESS (inbound) rules, the target parameter specifies the destination instances for traffic; you cannot use the destination parameter. You specify the source by using the source parameter (which is only applicable to INGRESS rules):
- all IP addresses (
0.0.0.0/0) - IP address ranges
- network tags
- service accounts
For EGRESS (outbound) rules, the target parameter specifies the source instances for traffic; you cannot use the source parameter. You specify the destination by using the destination parameter (which is only applicable to EGRESS rules):
- all IP addresses (
0.0.0.0/0) - IP address ranges
See Source or destination in the documentation.
0.6 The enforcement status of the firewall rule
- enabled (
--no-disabled) - disabled (
--disabled)
gcloud compute firewall-rules create NAME \
[--network NETWORK; default="default"] \
[--priority PRIORITY;default=1000] \
[--direction (ingress|egress|in|out); default="ingress"] \
[--action (deny | allow )] \
[--target-tags TAG,TAG,...] \
[--target-service-accounts=IAM Service Account,IAM Service Account,...] \
[--source-ranges CIDR-RANGE,CIDR-RANGE...] \
[--source-tags TAG,TAG,...] \
[--source-service-accounts=IAM Service Account,IAM Service Account,...] \
[--destination-ranges CIDR-RANGE,CIDR-RANGE...] \
[--rules (PROTOCOL[:PORT[-PORT]],[PROTOCOL[:PORT[-PORT]],...]] | all ) \
[--disabled | --no-disabled] \
[--enable-logging | --no-enable-logging]
gcloud compute instances add-tags --help is pretty helpful:
DESCRIPTION
gcloud compute instances add-tags is used to add tags to Google Compute
Engine virtual machine instances. For example, running:
$ gcloud compute instances add-tags example-instance \
--tags tag-1,tag-2
will add tags tag-1 and tag-2 to 'example-instance'.
Tags can be used to identify the instances when adding network firewall
rules. Tags can also be used to get firewall rules that already exist to be
applied to the instance. See gcloud compute firewall-rules create(1) for
more details.
To list instances with their respective status and tags, run:
$ gcloud compute instances list \
--format='table(name,status,tags.list())'
To list instances tagged with a specific tag, tag1, run:
$ gcloud compute instances list --filter='tags:tag1'
For example:
$ gcloud compute instances list --format='table(name,status,tags.list())'
NAME STATUS TAGS
pb-1 RUNNING fingerprint=CpSmrCTD0LE=,items=[u'http-server', u'https-server', u'pb-1']
pb-2 RUNNING fingerprint=84JxACwWD7U=,items=[u'http-server', u'https-server', u'pb-2']
The tags http-server and https-server are created by default and added to instances when they are created. For example, listing firewall rules with tags:
$ gcloud compute firewall-rules list --format="table( \
name, \
network, \
direction, \
priority, \
sourceRanges.list():label=SRC_RANGES, \
destinationRanges.list():label=DEST_RANGES, \
allowed[].map().firewall_rule().list():label=ALLOW, \
denied[].map().firewall_rule().list():label=DENY, \
sourceTags.list():label=SRC_TAGS, \
targetTags.list():label=TARGET_TAGS, \
disabled \
)"
NAME NETWORK DIRECTION PRIORITY SRC_RANGES DEST_RANGES ALLOW DENY SRC_TAGS TARGET_TAGS DISABLED
default-allow-http default INGRESS 1000 0.0.0.0/0 tcp:80 http-server False
default-allow-https default INGRESS 1000 0.0.0.0/0 tcp:443 https-server False
All examples will allow opening the TCP port 5432, which is the port PostgreSQL uses to listen to external connections, and all listings use the above gcloud command listing firewall rules.
$ gcloud compute firewall-rules create postgres --network default --priority 1000 --direction ingress --action allow --rules tcp:5432
# result
NAME NETWORK DIRECTION PRIORITY SRC_RANGES DEST_RANGES ALLOW DENY SRC_TAGS TARGET_TAGS DISABLED
postgres default INGRESS 1000 0.0.0.0/0 tcp:5432 False
$ gcloud compute firewall-rules create postgres --network default --priority 1000 --direction ingress --action allow --rules tcp:5432 --source-tags pb-1
# result
NAME NETWORK DIRECTION PRIORITY SRC_RANGES DEST_RANGES ALLOW DENY SRC_TAGS TARGET_TAGS DISABLED
postgres default INGRESS 1000 tcp:5432 pb-1 False
3.2 Rule that allows access to TCP 5432 from instances with pb-1 network tag on instances with pb-2 network tag
gcloud compute firewall-rules create postgres --network default --priority 1000 --direction ingress --action allow --rules tcp:5432 --source-tags pb-1 --target-tags pb-2
# result
NAME NETWORK DIRECTION PRIORITY SRC_RANGES DEST_RANGES ALLOW DENY SRC_TAGS TARGET_TAGS DISABLED
postgres default INGRESS 1000 tcp:5432 pb-1 pb-2 False
gcloud compute firewall-rules create postgres --network default --priority 1000 --direction ingress --action allow --rules tcp:5432 --source-tags pb-1 --target-tags pb-2 --source-ranges 66.1.2.3
# result
NAME NETWORK DIRECTION PRIORITY SRC_RANGES DEST_RANGES ALLOW DENY SRC_TAGS TARGET_TAGS DISABLED
postgres default INGRESS 1000 66.1.2.3 tcp:5432 pb-1 pb-2 False
Worth repeating from Direction of traffic:
Traffic from VM1 to VM2 can be controlled using either of these firewall rules:
An ingress rule with a target of VM2 and a source of VM1.
An egress rule with a target of VM1 and a destination of VM2.
Note to self: find the external IP on the console: