cloud engineer
Here’s another way to create a firewall in GCP using network tag as targets.
gcloud compute firewall-rules create "firewall-name" \ --description="egress rule to allow port 8000 to destination" \ --priority "1000" \ --direction EGRESS \ --action allow \ --network "your-network" \ --target-tags="your-network-tag" \ --destination-ranges="10.0.0.1/32" \ --rules tcp:8000 |
gcloud compute firewall-rules create "firewall-name" \ --description="egress rule to allow port 8000 to destination" \ --priority "1000" \ --direction EGRESS \ --action allow \ --network "your-network" \ --target-tags="your-network-tag" \ --destination-ranges="10.0.0.1/32" \ --rules tcp:8000
Here’s how to add a GCP firewall rule with the AH (authentication header) and ESP (Encapsulating Security Payload) protocols.
gcloud compute firewall-rules update "firewall-name" \ --description="firewall description" \ --priority "1000" \ --target-service-accounts="service-account@gserviceaccount.com" \ --destination-ranges="10.0.0.0/8" \ --rules 50,51,tcp:80,udp:1000 |
gcloud compute firewall-rules update "firewall-name" \ --description="firewall description" \ --priority "1000" \ --target-service-accounts="service-account@gserviceaccount.com" \ --destination-ranges="10.0.0.0/8" \ --rules 50,51,tcp:80,udp:1000
There is no need to add protocols for AH and ESP. Just the port numbers.
Here’s how to update an existing GCP firewall.
Ingress
gcloud compute firewall-rules update "firewall-rule-name" \ --description="firewall description" \ --priority="1000" --target-service-accounts="service-account@gserviceaccount.com" \ --source-ranges="10.0.0.0/8" --rules tcp:80,tcp:443,udp:1000-1100 |
gcloud compute firewall-rules update "firewall-rule-name" \ --description="firewall description" \ --priority="1000" --target-service-accounts="service-account@gserviceaccount.com" \ --source-ranges="10.0.0.0/8" --rules tcp:80,tcp:443,udp:1000-1100
Egress
gcloud compute firewall-rules update "firewall-rule-name" \ --description="firewall description" \ --priority="1000" --target-service-accounts="service-account@gserviceaccount.com" \ --destination-ranges="10.0.0.0/8" --rules tcp:80,tcp:443,udp:1000-1100 |
gcloud compute firewall-rules update "firewall-rule-name" \ --description="firewall description" \ --priority="1000" --target-service-accounts="service-account@gserviceaccount.com" \ --destination-ranges="10.0.0.0/8" --rules tcp:80,tcp:443,udp:1000-1100