Uly.me

cloud engineer

firewall

AWS Copy Security Group

You can copy rules from a security group to a new security group created within the same Region.

Open the Amazon Elastic Compute Cloud (Amazon EC2) console.

  1. In the navigation pane, choose Security Groups.
  2. Select the security group you’d like to copy.
  3. For Actions, choose Copy to new.
  4. The Create Security Group dialog opens, and is populated with the rules from your existing security group.
  5. Specify a Security group name and Description for your new security group.
  6. For VPC, choose the ID of the VPC.
  7. Choose Create.

GCP list firewall rule by name

Here’s how to list a GCP firewall rule by name.

gcloud compute firewall-rules list \
--filter="name=('wowza-rtmp')" \
--format=json

You can use different formats. Supported formats are:

config, csv, default, diff, disable, flattened, get, json, list, multi, none, object, table, text, value, yaml

AWS Services that use Security Groups

Services that user Security Groups

EC2-Classic instance
Amazon EC2 instances
ElasticCache
AWS Elastic Beanstalk
Amazon Elastic MapReduce
Amazon RDS (Relational Database Service)
Amazon Redshift
Amazon ElastiCache
Amazon CloudSearch
Elastic Load Balancing
Lambda
Fargate
EFS

Terraform GCP Firewall

How to create GCP firewall via Terraform.

Ingress

provider "google" {
    project = "project-id"
}
resource "google_compute_firewall" "default" {
    name    = "test-firewall"
    description = "this is a test firewall"
    priority = "1000"
    direction = "INGRESS"
    network = "projects/project-id/regions/us-east1/subnetworks/default"
    target_service_accounts = ["service-account-compute@developer.gserviceaccount.com"]
    source_ranges = ["10.128.0.0/20"]
    allow {
        protocol = "tcp"
        ports    = ["80", "8080", "1000-2000"]
    }
}

Egress

provider "google" {
    project = "project-id"
}
resource "google_compute_firewall" "default" {
    name    = "test-firewall"
    description = "this is a test firewall"
    priority = "1000"
    direction = "EGRESS"
    network = "projects/project-id/regions/us-east1/subnetworks/default"
    target_service_accounts = ["service-account-compute@developer.gserviceaccount.com"]
    destination_ranges = ["10.128.0.0/20"]
    allow {
        protocol = "tcp"
        ports    = ["80", "8080", "1000-2000"]
    }
}

Service account to Service account.

provider "google" {
    project = "project-id"
}
resource "google_compute_firewall" "default" {
    name    = "test-firewall"
    description = "this is a test firewall"
    priority = "1000"
    direction = "INGRESS"
    network = "projects/project-id/regions/us-east1/subnetworks/default"
    source_service_accounts = ["source-service-account-compute@developer.gserviceaccount.com"]
    target_service_accounts = ["target-service-account-compute@developer.gserviceaccount.com"]
    source_ranges = ["10.128.0.0/20"]
    allow {
        protocol = "tcp"
        ports    = ["80", "8080", "1000-2000"]
    }
}

AWS EC2 List Firewall Rules

AWS EC2 Firewall rules are defined within security groups. Security groups are attached to an instance. An instance can have up to 5 security groups. Essentially, this script gathers all the security groups associated with an instance, loops through them, and then outputs the ingress and egress rules of each security group to a file in a text format.

#!/bin/bash
# set variables
instanceid='i-xxxxxxxxxxxxxxxx'
region='us-east-1'
profile='sample'
# log and temp files
output="ec2-sg.log"
tmpfil="ec2-sg.tmp"
# empty log at start
> $output
# get sg ids
aws ec2 describe-instances \
--instance-ids $instanceid \
--region $region \
--profile $profile \
--query 'Reservations[*].Instances[*].SecurityGroups[*].[GroupId]' --output text > $tmpfil
while read -r id; do
  echo '============================================' >> $output
  echo $id >> $output
  echo '============================================' >> $output
  echo '---------------- INGRESS -------------------' >> $output
  aws ec2 describe-security-groups \
  --group-ids $id \
  --profile $profile \
  --region $region \
  --output text \
  --query 'SecurityGroups[].IpPermissions[].[FromPort,ToPort,IpProtocol,IpRanges[].CidrIp[]|[0]]' >> $output
  echo '---------------- EGRESS --------------------' >> $output
  aws ec2 describe-security-groups \
  --group-ids $id \
  --profile $profile \
  --region $region \
  --output text \
  --query 'SecurityGroups[].IpPermissionsEgress[].[FromPort,ToPort,IpProtocol,IpRanges[].CidrIp[]|[0]]' >> $output
done < $tmpfil

Here’s a sample output.

============================================
sg-xxxxxxxxxxxxxxx
============================================
---------------- INGRESS -------------------
5985    5985    tcp     10.0.0.220/32
10005   10005   tcp     10.0.0.164/32
---------------- EGRESS --------------------
80      80      tcp     10.0.0.14/32
40000   65535   udp     10.0.0.0/8
3389    3389    tcp     10.0.0.96/32
9389    9389    tcp     10.0.0.0/8
5985    5986    tcp     10.0.0.96/32

GCP Create Firewall with Tags

Here’s another way to create a firewall in GCP using network tag as targets.

gcloud compute firewall-rules create "firewall-name" \
    --description="egress rule to allow port 8000 to destination" \
    --priority "1000" \
    --direction EGRESS \
    --action allow \
    --network "your-network" \
    --target-tags="your-network-tag" \
    --destination-ranges="10.0.0.1/32" \
    --rules tcp:8000