Skip to content

Instantly share code, notes, and snippets.

@thesaravanakumar

thesaravanakumar/firewall-cloud_armor.md

Last active November 10, 2022 12:00
Show Gist options
  • Save thesaravanakumar/ce00b1bb932e2e8d12e82cc70ab94a10 to your computer and use it in GitHub Desktop.
Save thesaravanakumar/ce00b1bb932e2e8d12e82cc70ab94a10 to your computer and use it in GitHub Desktop.
Download ZIP
Short overview for firewall and cloud armor (GCP)
Raw
firewall-cloud_armor.md

Firewall

  • Firewall rules let you allow or deny traffic to and from your VM instances based on a configuration you specify.
  • While firewall rules are defined at the network level, connections are allowed or denied on a per-instance basis. You can think of the VPC firewall rules as existing not only between your instances and other networks, but also between individual instances within the same network
  • It is Global like a VPC.
  • Existing between instances within same network and instances and other network.
  • Each VPC network acts as a distributed firewall -> by default it will handle filtering traffic.

Ex - Applying firewall rules to tagged instances (connections are allowed at per instance basis)

Firewall rule is madeup of 4 things,

gcloud compute
firewall-rules create
http-allow-rule --
direction=INGRESS --
allow=TCP 22 --
target-tags=red-tag
  • action (allow or deny traffic)
  • direction (ingress or egress) -> not both simultaniously
  • type of protocol, ports (tcp, udp, icmp, esp, ah, sctp, ipip)
  • target (source or destination the rule applies)
  • priority (determines whether the rule is applied)
  • enforcement (enable and disable firewall rules without deleting them)(troubleshooting and maintenance)
  • logs (logs connections that match the rule into Cloud Logging)

Each firewall rule can contain either IPv4 or IPv6 ranges, but not both.

You can apply a firewall rule,

  • To all instances in a network
  • To a specific instances using tags
  • Instances using service accounts

Only supports IPV4 connections. IPv6 connections are also supported in VPC networks that have IPv6 enabled. cannot share among networks.

Stateful

VPC firewall rules are stateful -> when a connection is allowed through firewall in either direction, return traffic matching the connection also allowed. You cannot configure a firewall rule to deny associated response traffic. Return traffic must match the 5-tuple [source IP, destination IP, source port, destination port, protocol] of the accepted request traffic, but with the source and destination addresses and ports reversed.

In addition to firewall rules that you create, Google Cloud has other rules that can affect incoming (ingress) or outgoing (egress) connections:

  • Google Cloud blocks or limits certain traffic (Blocked and limited traffic)
  • Google Cloud always allows communication between a VM instance and its corresponding metadata server at 169.254.169.254 (allowed traffic)
  • Every network has two implied firewall rules that permit outgoing connections and block incoming connections. Firewall rules that you create can override these implied rules.
  • The default network is pre-populated with firewall rules that you can delete or modify.

Implied rules

By default you get implied rules when you create a network. Every VPC network has two implied IPv4 firewall rules. If IPv6 is enabled in a VPC network, the network also has two implied IPv6 firewall rules

  • Implied allow egress rule
    • 65535 priority (destination is 0.0.0.0/0)
  • Implied deny ingress rule
    • 65535 priority (source is 0.0.0.0/0) If IPv6 is enabled, the VPC network also has these two implied rules:
  • Implied IPv6 allow egress rule.
  • Implied IPv6 deny ingress rule

65535 is lowest priority so it can be overwrittern. Google Cloud always allows communication between a VM instance and its corresponding metadata server at 169.254.169.254

Prepopulated rules

By default you get prepopulated rules when you create a network.

Ingress examples

The following diagram illustrates some examples where firewall rules can control ingress connections. The examples use the target parameter in rule assignments to apply rules to specific instances.

Engress examples

The following diagram illustrates some examples where firewall rules can control egress connections. The examples use the target parameter in rule assignments to apply rules to specific instances.

Hierarchical firewall policies -> (let you group rules into a policy object that can apply to many VPC networks in one or more projects.) Global network firewall policies -> (let you group rules into a policy object applicable to all regions (global)). Regional network firewall policies -> (let you group rules into a policy object applicable to a specific region)

Cloud Armor

Google Cloud Armor helps you protect your Google Cloud deployments from multiple types of threats, including distributed denial-of-service (DDoS) attacks and application attacks like cross-site scripting (XSS) and SQL injection (SQLi).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment