Locking down the GCP VPC firewall

published 2023-04-15 [ home ]

I have done that three times now, so it is time to make a quick blog post about it.

When you create a new Google Cloud Platform account, its VPC firewall comes configured like this:

default rules

The first two rules, default-allow-http and default-allow-https, only apply to machines with the http-server and https-server network tags and they are fine. The third one, default-allow-icmp, allows ICMP which is the protocol used by ping; some people do not want that but I typically keep it on. The three last rules, though, are too lax for my taste.

We start with default-allow-rdp. The Remote Desktop Protocol is typically used to access remote Windows servers, even though it is now also supported by Gnome. You are probably not a Windows shop and you certainly do not want that open on all your instances, so disable it.

Now, default-allow-ssh. It is the same thing for the Secure Shell Protocol. I typically do not want to allow SSH access to instances from the outside; instead, I enforce the use of Identity-Aware Proxy through gcloud like this:

gcloud compute ssh --tunnel-through-iap my-instance-name

So you can disable that rule, but you also need to create one which is exactly the same with the source set to the IAP IP range i.e. I call it iap-allow-ssh.

You may also still want to allow SSH access from anywhere on some machines such as SFTP servers, so I create a rule with source that only applies to machines with the sshable network tag.

I also enable logs on both SSH rules so I can easily know exactly who connects to instances and when.

Finally, the default-allow-internal rule allows all traffic between machines in your VPC. For some of you it may be fine, but I prefer configuring all flows explicitly using tags, so I disable it as well.

This is how it all should look eventually:

secure rules