GCP Associate Cloud Engineer: Firewall Rules
In Google Cloud Platform (GCP), Firewall Rules act as the primary line of defense for your Virtual Private Cloud (VPC) network. They control the traffic allowed into (ingress) or out of (egress) your virtual machine (VM) instances. Understanding how these rules are evaluated is critical for the ACE exam.
The Analogy: The Elite Nightclub Bouncer
Imagine your VPC is an exclusive nightclub. The Firewall Rules are the bouncer standing at the door with a guest list.
- Ingress: People trying to enter the club. The bouncer checks their ID (IP address) and if they are wearing the right attire (Port/Protocol).
- Egress: People trying to leave. Usually, the bouncer lets everyone out, but if someone is trying to steal a bottle of champagne (sensitive data), he might stop them.
- Priority: If the club owner (Admin) says “No sneakers” (Priority 1000) but also says “Let in VIPs even if they wear sneakers” (Priority 500), the VIP gets in because the lower number wins.
Core Concepts & Deep Dive
GCP Firewall rules are stateful. This means if an incoming request is allowed, the outgoing response is automatically allowed regardless of egress rules. This simplifies configuration significantly compared to stateless firewalls.
Key Attributes of a Rule:
- Direction: Ingress (Inbound) or Egress (Outbound).
- Priority: An integer from 0 to 65535. Lower numbers have higher priority.
- Action: Allow or Deny.
- Target: Which instances the rule applies to (All instances, specific Network Tags, or Service Accounts).
- Source/Destination: IP ranges (CIDR), tags, or service accounts.
- Protocol/Port: TCP, UDP, ICMP, etc., on specific ports (e.g., 80, 443, 22).
Comparison: VPC Firewalls vs. Related Services
| Feature | VPC Firewall Rules | Hierarchical Firewall Policies | Cloud Armor |
|---|---|---|---|
| Scope | VPC Network level | Organization or Folder level | Global External HTTP(S) LB |
| Primary Use | Internal VPC traffic control | Enforcing security across projects | DDoS protection & WAF (Layer 7) |
| Statefulness | Stateful | Stateful | N/A (Proxy-based) |
| Cost | Free (standard rules) | Free/Paid (tier dependent) | Usage-based (Monthly + Request) |
Scenario-Based Decision Matrix
| If the requirement is… | Then use… |
|---|---|
| To block specific IP ranges from reaching your web server. | VPC Ingress Rule (Deny), Priority < 1000. |
| To allow traffic between VMs based on their function (e.g., App to DB). | Firewall Rules using Service Accounts as targets/sources. |
| To prevent any VM in the entire organization from using Telnet. | Hierarchical Firewall Policy at the Org level. |
| To protect against SQL Injection or Cross-Site Scripting (XSS). | Google Cloud Armor (WAF). |
Exam Tips: Golden Nuggets
- The Implied Rules: Every VPC has two implied rules: Allow Egress (Priority 65535) and Deny Ingress (Priority 65535). You cannot delete them, but you can override them with a higher priority rule.
- Tags vs. Service Accounts: For the exam, Service Accounts are preferred over Network Tags for security because tags can be changed by anyone with Compute Instance Admin roles, whereas Service Accounts are more tightly controlled.
- Priority Logic: Remember, 0 is the highest priority, 65535 is the lowest. If two rules conflict, the one with the lower number is applied.
- Default Network: The “default” VPC comes with pre-populated rules (allow-ssh, allow-icmp, etc.). In a custom VPC, you must create these yourself to gain access.
GCP Firewall Architecture Flow
Key GCP Services
VPC Firewall: Resource-level security filtering.
Cloud DNS Policy: Controls DNS queries.
VPC Peering: Requires firewall rules on both sides to allow cross-VPC communication.
Common Pitfalls
Priority 65535: Forgetting that the implied “Deny All Ingress” is always there at the bottom.
Protocol Mismatch: Allowing TCP 80 but trying to ping (ICMP) the server.
Egress Blocking: Accidentally blocking OS updates by restricting all outbound traffic.
Architecture Patterns
Tiered Security: Use tags web-server and db-server. Allow web-server to talk to db-server on port 5432, but deny internet to db-server.
Zero Trust: Use Service Accounts for more granular, identity-based internal microsegmentation.