cloud engineer
Here’s how to list a GCP firewall rule by name.
gcloud compute firewall-rules list \ --filter="name=('wowza-rtmp')" \ --format=json |
gcloud compute firewall-rules list \ --filter="name=('wowza-rtmp')" \ --format=json
You can use different formats. Supported formats are:
config
csv
default
diff
disable
flattened
get
json
list
multi
none
object
table
text
value
yaml
Services that user Security Groups
EC2-Classic instance
Amazon EC2 instances
ElasticCache
AWS Elastic Beanstalk
Amazon Elastic MapReduce
Amazon RDS (Relational Database Service)
Amazon Redshift
Amazon ElastiCache
Amazon CloudSearch
Elastic Load Balancing
Lambda
Fargate
EFS
Here’s how to list GCP firewall rules while filtering a service account. Output is exported as a CSV file.
gcloud compute firewall-rules list \ --project host-project \ --filter=service-account-name \ --format="csv(name,network,direction,priority,sourceRanges.list():label=SRC_RANGES,destinationRanges.list():label=DEST_RANGES,allowed[].map().firewall_rule().list():label=ALLOW,denied[].map().firewall_rule().list():label=DENY,sourceTags.list():label=SRC_TAGS,sourceServiceAccounts.list():label=SRC_SVC_ACCT,targetTags.list():label=TARGET_TAGS,targetServiceAccounts.list():label=TARGET_SVC_ACCT,disabled)" \ > export.csv |
gcloud compute firewall-rules list \ --project host-project \ --filter=service-account-name \ --format="csv(name,network,direction,priority,sourceRanges.list():label=SRC_RANGES,destinationRanges.list():label=DEST_RANGES,allowed[].map().firewall_rule().list():label=ALLOW,denied[].map().firewall_rule().list():label=DENY,sourceTags.list():label=SRC_TAGS,sourceServiceAccounts.list():label=SRC_SVC_ACCT,targetTags.list():label=TARGET_TAGS,targetServiceAccounts.list():label=TARGET_SVC_ACCT,disabled)" \ > export.csv
How to create GCP firewall via Terraform.
Ingress
provider "google" { project = "project-id" } resource "google_compute_firewall" "default" { name = "test-firewall" description = "this is a test firewall" priority = "1000" direction = "INGRESS" network = "projects/project-id/regions/us-east1/subnetworks/default" target_service_accounts = ["service-account-compute@developer.gserviceaccount.com"] source_ranges = ["10.128.0.0/20"] allow { protocol = "tcp" ports = ["80", "8080", "1000-2000"] } } |
provider "google" { project = "project-id" } resource "google_compute_firewall" "default" { name = "test-firewall" description = "this is a test firewall" priority = "1000" direction = "INGRESS" network = "projects/project-id/regions/us-east1/subnetworks/default" target_service_accounts = ["service-account-compute@developer.gserviceaccount.com"] source_ranges = ["10.128.0.0/20"] allow { protocol = "tcp" ports = ["80", "8080", "1000-2000"] } }
Egress
provider "google" { project = "project-id" } resource "google_compute_firewall" "default" { name = "test-firewall" description = "this is a test firewall" priority = "1000" direction = "EGRESS" network = "projects/project-id/regions/us-east1/subnetworks/default" target_service_accounts = ["service-account-compute@developer.gserviceaccount.com"] destination_ranges = ["10.128.0.0/20"] allow { protocol = "tcp" ports = ["80", "8080", "1000-2000"] } } |
provider "google" { project = "project-id" } resource "google_compute_firewall" "default" { name = "test-firewall" description = "this is a test firewall" priority = "1000" direction = "EGRESS" network = "projects/project-id/regions/us-east1/subnetworks/default" target_service_accounts = ["service-account-compute@developer.gserviceaccount.com"] destination_ranges = ["10.128.0.0/20"] allow { protocol = "tcp" ports = ["80", "8080", "1000-2000"] } }
Service account to Service account.
provider "google" { project = "project-id" } resource "google_compute_firewall" "default" { name = "test-firewall" description = "this is a test firewall" priority = "1000" direction = "INGRESS" network = "projects/project-id/regions/us-east1/subnetworks/default" source_service_accounts = ["source-service-account-compute@developer.gserviceaccount.com"] target_service_accounts = ["target-service-account-compute@developer.gserviceaccount.com"] source_ranges = ["10.128.0.0/20"] allow { protocol = "tcp" ports = ["80", "8080", "1000-2000"] } } |
provider "google" { project = "project-id" } resource "google_compute_firewall" "default" { name = "test-firewall" description = "this is a test firewall" priority = "1000" direction = "INGRESS" network = "projects/project-id/regions/us-east1/subnetworks/default" source_service_accounts = ["source-service-account-compute@developer.gserviceaccount.com"] target_service_accounts = ["target-service-account-compute@developer.gserviceaccount.com"] source_ranges = ["10.128.0.0/20"] allow { protocol = "tcp" ports = ["80", "8080", "1000-2000"] } }
Here’s how to create a firewall from service account to service account.
gcloud compute firewall-rules create "firewall-name" \ --description="firewall-description" \ --priority "1000" \ --direction INGRESS \ --action allow \ --network "network-name" \ --source-service-accounts="service@account.net" \ --target-service-accounts="service@account.net" \ --rules tcp:9001 |
gcloud compute firewall-rules create "firewall-name" \ --description="firewall-description" \ --priority "1000" \ --direction INGRESS \ --action allow \ --network "network-name" \ --source-service-accounts="service@account.net" \ --target-service-accounts="service@account.net" \ --rules tcp:9001
Instead of source-range, it’s using source-service-accounts.