This post is about the GCP VPC Firewall setup challenge where you can learn how to setup incoming (Ingress) and Outgoing (Egress) firewall within the VPC network.

This setup also uses the following:

• Service Accounts
• Instance Template
• Instance Groups
• VPC

Challenge Build

• Two-tier setup:
  • Frontend
    • Accept incoming request from internet (able to ping these instances)
    • Can connect outbound to backend and internet
  • Backend
    • Should NOT accept incoming request from the internet
    • ONLY accept incoming from frontend or other backend
    • Does not connect to the internet (no outbound anywhere excpept other backend)
• Auto-scaled across 2+ zones
• Use ICMP ping to represent allowed firewall traffic
  • Real world usage use: 80, 443, 3306
• All firewall rules based on service accounts (except open-ssh-tag – don’t add this TAG!)

Desired results:

• From Cloud Shell or your computer:
  • You can ping frontend instances
  • Should not be able to ping backend instances
• When SSHed to frontend instances:
  • Can ping backend instances (including cross-zones)
  • Can ping google.com
• When SSHed to backend instances:
  • Should not be able to ping frontend instances
  • Should not be able to ping google.com
  • Can ping other backend instances

Tips: 

• Clean up!
  • Disable autoscalling / 0 instances       
  • Or delete project

Setup

Roles

Service accounts:

• backend-sa – Screenshots example upon creation

• frontend-sa – The same setup as above

VPC

Instance template

Backend instance template example creation

Instance group from instance template

Results:

Validation:   

• From Cloud Shell or your computer:
  • You can ping frontend instances 

   

• From Cloud Shell or your computer:
  • Should not be able to ping backend instances

• When SSHed to frontend instances:
  • Can ping backend instances (including cross-zones)

NOTE: You can ping only the internal IP address and not external address. That is because of this Tier setup:

Backend – Should NOT accept incoming request from the internet

So external IP is considered as the “Internet”

• When SSHed to frontend instances:
  • Can ping google.com

• When SSHed to backend instances:
  • Should not be able to ping frontend instances
  • Can ping other backend instances

• When SSHed to backend instances:
  • Should not be able to ping google.com

How it works?

First, this blocks everything – all instances, etc.

Second, then it allows all egress/outgoing – Which means it can ping, google, front-end and backend.

Third, all egress/outgoing from backend will be blocked. All backend instances only!

Fourth, all egress/outgoing targeting all backends will be allowed by the IP range of our VPC for ICMP protocol

Overall VPC Firewall Rules