Google Cloud Security: Creating Firewall Rules on a VPC Network
![Google Cloud Security: Creating Firewall Rules on a VPC Network](/content/images/size/w1200/2020/08/oie_616356bdgvyh4s-2.jpg)
I will configure two different firewall rules: (1) to allow SSH access to all instances on the network, and (2) another one using specific network tags to only allow ICMP (ping) access to one instance, and only from a specific subnet. This will show using both wide-scope and narrow-scope firewall rules.
Allow SSH Access to all Virtual Machine Instances
- Scroll Down to VPC Network and click on Firewall rules and createa firewall rule and name it "allow-ssh"
- In the Network dropdown menu, select "custom-vpc"
- Targets: Select,"All instances in the network"
- Source IP Range: Type,
0.0.0.0/0
- Protocols and ports: select "Specified protocols and ports
"tcp: "22"
![This image has an empty alt attribute; its file name is image-63.png](https://www.songer.pro/wp-content/uploads/2019/09/image-63.png?w=828)
![This image has an empty alt attribute; its file name is image-64.png](https://www.songer.pro/wp-content/uploads/2019/09/image-64.png?w=582)
![This image has an empty alt attribute; its file name is image-65.png](https://www.songer.pro/wp-content/uploads/2019/09/image-65.png?w=797)
![This image has an empty alt attribute; its file name is image-66.png](https://www.songer.pro/wp-content/uploads/2019/09/image-66.png?w=774)
![This image has an empty alt attribute; its file name is image-67.png](https://www.songer.pro/wp-content/uploads/2019/09/image-67.png?w=804)
![This image has an empty alt attribute; its file name is image-68.png](https://www.songer.pro/wp-content/uploads/2019/09/image-68.png?w=833)
Apply Network Tag to VM
- Select, Compute Engine and click on "instance-2"
- Scroll Down to Network tags and enter "icmp-allow"
![This image has an empty alt attribute; its file name is image-69.png](https://www.songer.pro/wp-content/uploads/2019/09/image-69.png?w=620)
![This image has an empty alt attribute; its file name is image-70.png](https://www.songer.pro/wp-content/uploads/2019/09/image-70.png?w=965)
![This image has an empty alt attribute; its file name is image-71.png](https://www.songer.pro/wp-content/uploads/2019/09/image-71.png?w=830)
![This image has an empty alt attribute; its file name is image-72.png](https://www.songer.pro/wp-content/uploads/2019/09/image-72.png?w=830)
![This image has an empty alt attribute; its file name is image-73.png](https://www.songer.pro/wp-content/uploads/2019/09/image-73.png?w=828)
Create a narrow-scope firewall rule for virtuam machine "instance-2"
- Go back to your firewall menu, and create a new rule and name rule "allow-icmp"
- Choose the custom-vpc network
- In the Targets dropdown menu, set to specified target tags if not already the default
- In the Target tags field, type
icmp-allow
and hit Enter - In the Source filter dropdown, choose IP Range
- Enter the IP range of our subnet-a subnet
- In Protocols and ports, choose Specified protocols and ports
- Place a check in Other protocols, and type in
icmp
(there is no port number for ICMP
![This image has an empty alt attribute; its file name is image-74.png](https://www.songer.pro/wp-content/uploads/2019/09/image-74.png?w=1024)
![This image has an empty alt attribute; its file name is image-75.png](https://www.songer.pro/wp-content/uploads/2019/09/image-75.png?w=840)
![This image has an empty alt attribute; its file name is image-76.png](https://www.songer.pro/wp-content/uploads/2019/09/image-76.png?w=831)
![This image has an empty alt attribute; its file name is image-77.png](https://www.songer.pro/wp-content/uploads/2019/09/image-77.png?w=885)
Test ICMP Firewall Rule
- Go back to Compute Engine and test this rule through the other virtuam machine instances
![This image has an empty alt attribute; its file name is image-78.png](https://www.songer.pro/wp-content/uploads/2019/09/image-78.png?w=971)
instance-1a
- You will see that I can ping "instance-2" from ssh terminal of the this instance.
![This image has an empty alt attribute; its file name is image-79.png](https://www.songer.pro/wp-content/uploads/2019/09/image-79.png?w=1000)
instance-1b
- You will see that I can ping "instance-2" from ssh terminal of the this instance.
![This image has an empty alt attribute; its file name is image-80.png](https://www.songer.pro/wp-content/uploads/2019/09/image-80.png?w=1024)
instance-3
- You will see that when you ping "instance-2" from ssh terminal of the this instance, that it will pause for a long time and evenually time out. Because the rule to source traffic from subnet-a only.
![This image has an empty alt attribute; its file name is image-81.png](https://www.songer.pro/wp-content/uploads/2019/09/image-81.png?w=1024)