Firewall rules are similar to an AWS Security Group in that you can define incoming and outgoing packet filters. They use a network tag, which is a label, to distinguish between firewall rules and VM instances. So, VM instances can specify zero or some network tags, then the firewall rule will apply to the VM which has the same Network Tag.
Therefore, we need to set a target network tag while creating the firewall rule. Overall, we will create three firewall rules that have these configurations:
Firewall rule name |
Target VPC |
Allow port |
Allow from |
Target network tag |
public-ssh |
chap7 |
ssh (22/tcp) |
All (0.0.0.0/0) |
public |
public-http |
chap7 |
http (80/tcp) |
All (0.0.0.0/0) |
public |
private-ssh |
chap7 |
ssh (22/tcp) |
Host which has a public network tag |
private |
- Create a public-ssh rule:
$ gcloud compute firewall-rules create public-ssh --network=chap7 --allow="tcp:22" --source-ranges="0.0.0.0/0" --target-tags="public"
- Create a public-http rule:
$ gcloud compute firewall-rules create public-http --network=chap7 --allow="tcp:80" --source-ranges="0.0.0.0/0" --target-tags="public"
- Create a private-ssh rule:
$ gcloud compute firewall-rules create private-ssh --network=chap7 --allow="tcp:22" --source-tags="public" --target-tags="private"
- Check all firewall rules:
$ gcloud compute firewall-rules list --filter='NETWORK=chap7'
NAME NETWORK DIRECTION PRIORITY ALLOW DENY
private-ssh chap7 INGRESS 1000 tcp:22
public-http chap7 INGRESS 1000 tcp:80
public-ssh chap7 INGRESS 1000 tcp:22