Create Firewall Rules on a Google Cloud VPC Network

30 minutes
  • 4 Learning Objectives

About this Hands-on Lab

In this hands-on lab, we will be presented with a custom VPC that has four instances spread across three subnets with zero firewall rules created. We will configure two different firewall rules: one to allow SSH access to all instances on the network, and another one using specific network tags to only allow ICMP (ping) access to one instance, and only from a specific subnet. This will demonstrate using both wide-scope and narrow-scope firewall rules.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Allow SSH access to all instances.
  • From the top-left menu, scroll down to VPC network, then click on Firewall rules from the sub-menu

We will now create a wide-scope rule to allow SSH access to the entire network from all public sources:

  • Click Create firewall rule.
  • Name the rule allow-ssh.
  • In the Network dropdown menu, select custom-vpc.
  • In the Targets dropdown menu, select All instances in the network.
  • In the Source filter dropdown menu, select IP ranges (should be the default).
  • In Source IP ranges, enter This allows access from any public location.
  • In Protocols and ports, select Specified protocols and ports
  • Place a check in tcp, and enter 22 in the text box to the right of it
  • Click the blue Create button
Apply network tag to `instance-2`.

Apply a network tag to our instance-2 instance which will only allow a later firewall rule to apply to that one instance.

  • From Compute Engine, click on instance-2
  • Click the EDIT button at the top
  • Scroll down, and under Network tags, enter icmp-allow, hit enter to confirm the tag, then click Save at the bottom to confirm the change
Create a narrow-scope firewall rule for `instance-2`.

Create a firewall rule that will only allow ICMP traffic to instance-2, while also only allowing traffic from subnet-a as the source.

  • Go back to your firewall menu, and create a new rule
  • Name the rule allow-icmp
  • Choose the custom-vpc network
  • In the Targets dropdown menu, set to specified target tags if not already the default
  • In the Target tags field, type icmp-allow and hit Enter
  • In the Source filter dropdown, choose IP Range
  • Enter the IP range of our subnet-a subnet
  • In Protocols and ports, choose Specified protocols and ports
  • Place a check in Other protocols, and type in icmp (there is no port number for ICMP.
  • If you wish, again view the command line cross reference (may still be glitched for the network field, then close out and click Create to create the rule.
Test ICMP firewall rule for success
  • Go back to Compute Engine
  • Next to ‘instance-2’, either write down or highlight/copy the internal IP address for instance-2 (should be
  • SSH into ‘instance-1a’
  • Attempt to ping the instance by entering: ping (internal IP). It should be successful. Hit Ctrl+C to quit ping.
  • Exit out of your ‘instance-1a’ SSH session, and now SSH into ‘instance-1b’, and attempt to ping ‘instance-2’ again, which should also be successful.
  • Exit out of your ‘instance-1b’ session, and SSH into ‘instance-3’.
  • Attempt to ping ‘instance-2’ again. This time it should NOT be successful, because we applied our rule to source traffic from subnet-a only.

Additional Resources

To avoid browser caching issues with existing Google accounts, I recommend right-clicking on the button to launch the lab, and select Open link in Incognito Window (or whichever private browsing mode your browser uses).

Upon entering the lab, I highly recommend deleting the default VPC network via the VPC networks menu to clean up our views. Be careful to NOT delete the custom-vpc network that we are using.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?