Firewall rules in Google Cloud Platform

From Luis Gallego Hurtado - Not Another IT guy
Jump to: navigation, search

Each Google VPC network implements a distributed virtual firewall.

Firewall rules enable you to target certain types of traffic, based on the traffic's protocol, ports, sources, and destinations.

Firewall rules apply to both outgoing (egress) and incoming (ingress) traffic in the network.

Firewall rules control traffic even if it is entirely within the VPC network, including communication among VM instances.


  • When you create a GCP firewall rule, you specify a VPC network and a set of components that define what the rule will do.
  • Each firewall rule applies to incoming (ingress) or outgoing (egress) traffic, not both.
  • While firewall rules are defined at the network level, connections are allowed or denied on a per-instance basis.
  • GCP firewall rules exist not only between your instances and other networks, but between individual instances within the same network.
  • The rule applies to traffic as long as it is enforced.
  • GCP firewall rules are stateful - firewall rules allow bidirectional communication once a session is established.
  • The maximum number of tracked connections in the firewall rule table depends on the number of stateful connections – 130k/vCPU.

Default rules

Every VPC network has two implied firewall rules which permit outgoing connections and block incoming connections. For one instance to be able to communicate with another, appropriate firewall rules must also be configured because of the implied deny firewall rule for ingress traffic.

For an instance to have outgoing Internet access, Firewall rules must allow egress traffic from the instance and it must have an external IP address.

  • Always blocked traffic: GRE traffic (Generic Routing Encapsulation), Protocols other than TCP, UDP, ICMP, and IPIP (IP in IP tunnelling protocol), Egress traffic on TCP port 25 (SMTP)
  • Always allowed traffic: DHCP, DNS resolution, instance metadata, NTP.

Rule Components

  • Priority: integer from 0 to 65535, inclusive; default 1000
  • Action: either allow or deny
  • Enforcement: either enabled (default) or disabled
  • Target: the target parameter specifies the source/destination. You can select either all instances in the VPC network, speficific service accounts or specific tag
  • Source/destination: any network or a specific range of IPv4 addresses; default is any (
  • Protocols and Ports: the protocol (such as TCP, UDP, or ICMP) and port

Firewall Rules Logging

Firewall Rules Logging allows you to audit, verify, and analyze the effects of your firewall rules.

You can only enable firewall rule logging for rules in a VPC network and for TCP and UDP connections.

You cannot enable firewall rule logging for the implied deny ingress and implied allow egress rules or for automatically-created default rules in the default network.

Connection logging limits are expressed as a maximum number of connections that can be logged in a five second interval – 500/vCPU