Routes and firewall rules

1. Routes and firewall rules

So far you've learned about projects, networks, subnetworks, and IP addresses. Let's use what you learned to understand how GCP routes traffic. By default, every network has routes that let instances in a network send traffic directly to each other, even across subnets. In addition, every network has a default route that directs packets to destinations that are outside the network. Although these routes cover most of your normal routing needs, you can also create special routes that overwrite these routes. Just creating a route does not ensure that your packet will be received by the specified next top. Firewall rules must also allow the packet. The default network has pre-configured firewall rules that allow all instances in the network to talk with each other. Manually created networks do not have such rules, so you must create them, as you will experience in the first lab. Routes match packets by destination IP addresses. However, no traffic will flow without also matching a firewall rule. A route is created when a network is created, enabling traffic delivery from "anywhere". Also, a route is created when a subnet is created. This is what enables VMs on the same network to communicate. This slide shows a simplified routing table, but let's look at this in more detail. Each route in the Routes collection may apply to one or more instances. A route applies to an instance if the network and instance tags match. If the network matches and there are no instance tags specified, the route applies to all instances in that network. Compute Engine then uses the Routes collection to create individual read-only routing tables for each instance. This diagram shows a massively scalable virtual router at the core of each network. Every virtual machine instance in the network is directly connected to this router, and all packets leaving a virtual machine instance are first handled at this layer before they are forwarded to their next hop. The virtual network router selects the next hop for a packet by consulting the routing table for that instance. GCP firewall rules protect you virtual machine instances from unapproved connections, both inbound and outbound, known as ingress and egress, respectively. Essentially, every VPC network functions as a distributed firewall. Although firewall rules are applied to the network as a whole, connections are allowed or denied at the instance level. You can think of the firewall as existing not only between your instances and other networks, but between individual instances within the same network. GCP firewall rules are stateful. This means that if a connection is allowed between a source and a target or a target at a destination, all subsequent traffic in either direction will be allowed. In other words, firewall rules allow bidirectional communication once a session is established. Also, if for some reason, all firewall rules in a network are deleted, there is still an implied "Deny all" ingress rule and an implied "Allow all" egress rule for the network. You can express your desired firewall configuration as a set of firewall rules. Conceptually, a firewall rule is composed of the following parameters: The direction of the rule. Inbound connections are matched against ingress rules only, and outbound connections are matched against egress rules only. The source of the connection for ingress packets, or the destination of the connection for egress packets. The protocol and port of the connection, where any rule can be restricted to apply to specific protocols only or specific combinations of protocols and ports only. The action of the rule, which is to allow or deny packets that match the direction, protocol, port, and source or destination of the rule. The priority of the rule, which governs the order in which rules are evaluated. The first matching rule is applied. The rule assignment. By default, all rules are assigned to all instances, but you can assign certain rules to certain instances only. For more information on firewall rule components, please refer to the links section of this video. Let's look at some GCP firewall use cases for both egress and ingress. Egress firewall rules control outgoing connections originated inside your GCP network. Egress allow rules allow outbound connections that match specific protocol, ports, and IP addresses. Egress deny rules prevent instances from initiating connections that match non-permitted port, protocol, and IP range combinations. For egress firewall rules, destinations to which a rule applies may be specified using IP CIDR ranges. Specifically, you can use the destination ranges to protect from undesired connections initiated by a VM instance towards an external host, as shown on the left. You can also use destination ranges to prevent undesired connections from internal VM instances to specific GCP CIDR ranges. This is illustrated in the middle, where a VM in a specific subnet is shown attempting to connect inappropriately to another VM within the same network. Ingress firewall rules protect against incoming connections to the instance from any source. Ingress allow rules allow specific protocol, ports, and IP ranges to connect in. The firewall prevents instances from receiving connections on non-permitted ports and protocols. Rules can be restricted to only affect particular sources. Source CIDR ranges can be used to protect an instance from undesired connections coming either from external networks or from GCP IP ranges. This diagram illustrates a VM receiving a connection from an external address, and another VM receiving a connection from a VM within the same network. You can control ingress connections from a VM instance by constructing inbound connection conditions using source CIDR ranges, protocols, or ports.

2. Let's practice!

Create Your Free Account

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.