Google Kubernetes Engine Clusters
Configuring and Managing Firewall Rules
The course is part of these learning paths
This course explores how to implement virtual private clouds on the Google Cloud Platform. It starts off with an overview, where you'll be introduced to the key concepts and components that make up a virtual private cloud.
After covering basic VPC concepts and components, we'll dive into peering VPCs, shared VPCs, and VPC flow logs, including a hands-on demonstration of how to configure flow logs. We’ll also look at routing and network address translation, before moving on to Google Kubernetes Engine clusters. We’ll cover VPC-native clusters and alias IPs, as well as clustering with shared VPCs.
You’ll learn how to add authorized networks for GKE cluster master access and we finish off by looking at firewall rules. We’ll cover network tags, service accounts, and the importance of priority. You’ll also learn about ingress rules, egress rules, and firewall logs.
If you have any feedback related to this course, feel free to contact us at firstname.lastname@example.org.
- Get a foundational understanding of virtual private clouds on GCP
- Learn about VPC peering and sharing
- Learn about VPC flow logs and how to configure them
- Learn about routing in GCP and how to configure a static route
- Understand the pros and cons of VPC-native GKE clusters
- Learn about cluster network policies
- Understand how to configure and manage firewall rules in GPC
This course is intended for anyone who wants to learn how to implement virtual private clouds on the Google Cloud Platform.
To get the most from this course, you should already have experience with the public cloud and networking, as well as an understanding of GCP architecture.
Hello and welcome back. In this demonstration here, what we're going to do is create an Ingress Firewall Rule that blocks RDP traffic on port 3389 both on TCP and UDP. It's a pretty brief demonstration but it should give you an idea of how to create different types of firewall rules.
On the screen here I'm logged in to my Google Cloud Platform console. I'm logged in as an admin and I'm on the VPC network pane. What we're going to do here is browse to firewall here, and we can see we have several different firewall rules already created. What we're going to do here is create a new firewall rule and we'll just call it block-rdp.
Now what we'll do here is we'll also turn on logging. I might as well show you how to turn on firewall rule logging while we're doing this. And we could see here, it's an option on or off here under logs for our firewall rule. Now, to enable logging for our firewall rule we simply click the on radio button. Now, when we enable this log option, we see a dropdown appear for logs details. And essentially what we need to do here is decide if we want to include metadata or not.
If we hover over the icon for additional fields, we can see that metadata is added by default. Now, including all of the metadata for your logging it's going to vastly increase the size of your logs. You can limit the size of those logs by removing metadata. We'll leave our metadata in here. And then underneath here, we have two options here. We have the default network chosen by default and a priority of 1000 sets by default.
If we hover over the icon here we can see this is the network that our firewall rule is going to apply to. For this demonstration here, we're going to apply our rule to network A. And then if we hover over priority, we can see that the priority allows us to specify the order in which our rules are applied.
As I mentioned earlier, rules with lower numbers get prioritized first. So I'll just set this to 200. This means it's going to be processed pretty quickly in the chain of rules that are processed. And here we can see the direction of traffic we need to configure. We can select either ingress or egress. Since we're trying to block inbound RDP traffic, we'll leave this set to ingress. And what we're going to do is set the action on match which we covered earlier to deny. So when this rule gets matched, what the rule will do is deny the traffic.
In the target section here, we can either apply this rule to all instances in the network, in this case network A or to specific target tags or to specific service accounts. We covered these different filters earlier on. For this demonstration, I'm just going to leave it at all instances in the network. And now this source filter here. We have IP ranges, source tags, or service accounts.
If we hover over the icon here we could see this filter allows us to apply the rule that we're creating to whatever specific sources of traffic we're interested in. So if we want to block RDP from a specific range of IPs, we would select IP ranges which is what we're going to do here. If we wanted to source it against different source tags or different instances using a specific service account, we would select either source tags or service account. Since we're going to block RDP from all locations, we'll set our source IP range to 0.0.0.0/0.
So essentially what we're doing is we're telling this rule with this source IP range box to block whatever traffic we're going to block from everywhere. Now this second source filter allows us to set additional filters, to apply our rule to specific sources of traffic. We're not doing any second source filtering here, so we'll leave this alone. And then in protocols and ports, we can tell the rule what we're going to block. We can deny all traffic by selecting the denial radio box or we can specify certain protocols and ports.
For this demonstration, we're going to block 3389, which is RDP traffic, for both TCP and UDP since RDP does listen over both TCP and UDP.
Now, as I mentioned in the earlier lesson, when you create a rule, it's automatically created in the enabled state. This disabled rule here option would allow us to create the rule in the disabled state if we wanted to. So let's just review here. We're calling our rule block RDP. We've enabled logging. We're including the metadata. We're applying the rule to the network A VPC network with a priority of 200. We're blocking inbound traffic by selecting ingress. And the action is deny, which is doing the blocking. We're blocking this traffic for all instances on the network from any location. And the traffic that we're blocking is port 3389 traffic. And of course we're creating the rule in the enabled state.
So to create the rule we simply click create. And with that, we can see our new rule shows up in our list. We have our block RDP, it's an ingress that applies to all from all, blocks the TCP and UDP 3389 using the deny action with a priority of 200. And we can see the network it's applied to is network A with logging turned on. So with that, you now know how to create a basic firewall rule in the Google Cloud Platform.
Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.
In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.
In his spare time, Tom enjoys camping, fishing, and playing poker.