GCP Networking and Firewall Basics
Google’s networking is similar to AWS’ with some minor differences.
VPC Network Overview
- VPC networks, including their associated routes and firewall rules, are global resources. They are not associated with any particular region or zone. However, as you partition a VPC into subnets, each subnet is associated with a region.
- VPC administration can be secured using Identity and Access Management (IAM) roles.
- You can share a VPC network from one project to instances in another project within the same organization using shared VPC. Shared VPC enables multi-tenancy deployments and delegated instance administration while separately maintaining network administrative controls.
VPC Networks in a Hybrid Environment
VPC networks can be securely connected in hybrid environments by using VPN connections or dedicated interconnect.
Firewalls exist At a VPC Level
Firewall rules are defined at the VPC network level, and are specific to the network in which they are defined. The rules themselves cannot be shared among networks.
Firewall rules only support IPv4 traffic. When specifying a source for an ingress rule or a destination for an egress rule by address, you can only use an IPv4 address or IPv4 block in CIDR notation.
Stateful Rules
GCP firewall rules are stateful. If a connection is allowed between a source and a target or a target and a destination, all subsequent traffic in either direction will be allowed. In other words, firewall rules allow bidirectional communication once a session is established. Firewall rules cannot allow traffic in one direction while denying the associated return traffic.
Default and Implied Rules
Every VPC network has two implied firewall rules. These rules exist, but are not shown in the Cloud Console:
-
The implied allow egress rule: An
egress
rule whose action isallow
, destination is0.0.0.0/0
, and priority is the lowest possible (65535
) lets any instance send traffic to any destination. Outbound access may be restricted by a higher priority firewall rule. Internet access is allowed if no other firewall rules deny outbound traffic and if the instance has an external IP address or uses a NAT instance. Refer to Internet access requirements for more details. -
The implied deny ingress rule: An
ingress
rule whose action isdeny
, source is0.0.0.0/0
, and priority is the lowest possible (65535
) protects all instances by blocking incoming traffic to them. Incoming access may be allowed by a higher priority rule. Note that thedefault
network includes some additional rules that override this one, allowing certain types of incoming traffic. -
The implied rules cannot be removed, but they have the lowest possible priorities. Rules you create can override them as long as your rules have higher priorities (priority numbers less than
65535
).
Traffic internal and external to a VPC
- Resources within a VPC network can communicate with one another using internal (private) IPv4 addresses, subject to applicable network firewall rules.
- VPC networks can be connected to other GCP VPC networks from different projects or organizations by using VPC peering.
- Traffic into and out of a VPC is controlled by firewall rules as well.
Traffic to and Fro instances
Traffic to and from instances can be controlled with network firewall rules.
Leave a Reply