1. Home
  2. Training Library
  3. Google Cloud Platform
  4. Courses
  5. Implementing a GCP Virtual Private Cloud (VPC)

Configuring and Managing Firewall Rules

Start course
Duration1h 15m


Please note: this course has been replaced with an updated version which can be found here.


This course guides you through the key steps to configure a Google Cloud Platform virtual private cloud (VPC), which allows you to connect your GCP services with one another securely.

After a brief introduction, the course begins with how to set up and configure VPCs, including VPC peering and shared VPC. You'll learn how to configure routes, set up cloud NAT (network address translation), and configure VPC-native clusters in Kubernetes, before rounding off the course by looking at VPC firewalls. The topics in this course are accompanied by demonstrations on the platform in order to show you how these concepts apply to real-world scenarios.

If you have any feedback, questions, or queries relating to this course, please feel free to contact us at support@cloudacademy.com.

Learning Objectives

  • Configure Google Cloud Platform VPC resources
  • Configure VPC peering and API access
  • Create shared VPCs
  • Configure internal static and dynamic routing, as well as NAT
  • Configure and maintain Google Kubernetes Engine clusters
  • Configure and maintain VPC firewalls

Intended Audience

This course is intended for:

  • Individuals who want to learn more about Google Cloud networking, who may also have a background in cloud networking with other public cloud providers
  • Individuals who simply want to widen their knowledge of cloud technology in general


To get the most from this course, you should already have experience in public cloud and networking as well as an understanding of GCP architecture.


Okay for the next section, we're gonna talk about your networking firewall rules. Now, this is a very big part of GCP, just because everything that your resources have access to is gonna be determined by the firewall rules.

By default, all incoming traffic from outside of your network is blocked. So anything external from the public internet is blocked, although going out to the public internet is allowed. Now, you can control that within your firewall rules.

Now, going down the range, you can see here, for ingress it's any type of inbound traffic and egress is any type of outbound traffic. You're gonna see that the web port 80 is allowed here. You're gonna see the ICMP for ping, that's allowed.

Another thing to keep in mind is GCP allows you to use, you can just type in ICMP to pretty much signify that you're allowed to ping your instances, which is great. You don't have to necessarily put the actual port number. So you can use a port. You can use the actual protocol. Internal access, you could see through these IP ranges that it allows the TCPE and UDP ports for internal. And then you also have allow an RDP for your Windows instances out there, for 3389 and then SXH.

So you have port 22 from the internet. So once again, you could control literally who can have access to any resource internally and out. And also, there's always going to be a default block of external ingress traffic, unless you explicitly allow it. And there's also things that Google blocks that if somebody's doing DDOS attacks and things like that, they also have things where they automatically block that type of traffic for you.

There's some other things when you look in, when you're creating a firewall rule, like I was telling you earlier, you can choose the incoming traffic or the outgoing. And then there's some other key things when you're creating a rule, you also can choose the targets.

So, what's targets mean? Well, that's actually the type of resource it's being affected by this rule. So, you can choose instances. So I created a virtual machine earlier, I can use that. Or I can do a specific tag, so if I make up a tag called HTTP, any instance that has that tag, HTTP, will be affected by this rule I create. And then lastly, there's a service account.

So I can have a specific service account, let's say my compute engine service account, any type of resource that's using that service account is going to be affected by this firewall rule which is very, very helpful and useful when you're setting up rules because it could simplify things a lot easier, especially when you're dealing with complex applications and things of that nature.

You may just want that service account to only be able to do certain things on the network and that target service account rule will allow you to do so. Also, there is other options down here, like I mentioned before, you can have second source filters. So if one doesn't work you can have like a backup one. And that's the first one, it could be a either or.

So if one doesn't have a type, if you have some that doesn't have a service account, the next rule would apply. And then also, you could specify specific ports and well and other protocols. So this gives you a good overview and information on how to set up firewall rules and how to create them and manage them within GCP. So let's jump on to the next section.

About the Author

Mark has many years of experience working with Google Cloud Platform and also holds eight GCP certifications.