In this hands-on lab, we will be presented with a custom VPC that has four instances spread across three subnets with zero firewall rules created. We will configure two different firewall rules: one to allow SSH access to all instances on the network, and another one using specific network tags to only allow ICMP (ping) access to one instance, and only from a specific subnet. This will demonstrate using both wide-scope and narrow-scope firewall rules.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Allow SSH access to all instances.
- From the top-left menu, scroll down to VPC network, then click on Firewall rules from the sub-menu
We will now create a wide-scope rule to allow SSH access to the entire network from all public sources:
- Click Create firewall rule.
- Name the rule
allow-ssh
. - In the Network dropdown menu, select custom-vpc.
- In the Targets dropdown menu, select All instances in the network.
- In the Source filter dropdown menu, select IP ranges (should be the default).
- In Source IP ranges, enter
0.0.0.0/0
. This allows access from any public location. - In Protocols and ports, select Specified protocols and ports
- Place a check in tcp, and enter
22
in the text box to the right of it - Click the blue Create button
- Apply network tag to `instance-2`.
Apply a network tag to our
instance-2
instance which will only allow a later firewall rule to apply to that one instance.- From Compute Engine, click on instance-2
- Click the EDIT button at the top
- Scroll down, and under Network tags, enter
icmp-allow
, hit enter to confirm the tag, then click Save at the bottom to confirm the change
- Create a narrow-scope firewall rule for `instance-2`.
Create a firewall rule that will only allow ICMP traffic to
instance-2
, while also only allowing traffic fromsubnet-a
as the source.- Go back to your firewall menu, and create a new rule
- Name the rule
allow-icmp
- Choose the custom-vpc network
- In the Targets dropdown menu, set to specified target tags if not already the default
- In the Target tags field, type
icmp-allow
and hit Enter - In the Source filter dropdown, choose IP Range
- Enter the IP range of our subnet-a subnet
- In Protocols and ports, choose Specified protocols and ports
- Place a check in Other protocols, and type in
icmp
(there is no port number for ICMP. - If you wish, again view the command line cross reference (may still be glitched for the network field, then close out and click Create to create the rule.
- Test ICMP firewall rule for success
- Go back to Compute Engine
- Next to ‘instance-2’, either write down or highlight/copy the internal IP address for instance-2 (should be 10.0.2.2).
- SSH into ‘instance-1a’
- Attempt to ping the instance by entering:
ping (internal IP)
. It should be successful. Hit Ctrl+C to quit ping. - Exit out of your ‘instance-1a’ SSH session, and now SSH into ‘instance-1b’, and attempt to ping ‘instance-2’ again, which should also be successful.
- Exit out of your ‘instance-1b’ session, and SSH into ‘instance-3’.
- Attempt to ping ‘instance-2’ again. This time it should NOT be successful, because we applied our rule to source traffic from subnet-a only.