Configure a hierarchical firewall policy to allow egress traffic from a specific VPC network

Learn how to create and configure a hierarchical firewall policy to allow egress traffic originating from a specific Virtual Private Cloud (VPC) network in your folder to a specific IP address as the destination. The firewall policy blocks all other egress traffic originating from your folder. The page walks through an example of creating two VPC networks, creating virtual machine (VM) instances in the VPC networks, setting up a hierarchical firewall policy with firewall rules, and then testing the firewall policy.

Before you begin

• Make sure that you have access to an organization resource .
• Make sure that you have the following Identity and Access Management (IAM) roles:
  • Organization Administrator role (roles/resourcemanager.organizationAdmin)
  • Folder Admin role (roles/resourcemanager.folderAdmin)
  • Project Creator role (roles/resourcemanager.projectCreator)
  • Project Deleter role (roles/resourcemanager.projectDeleter)
  • Compute Network Admin role ( roles/compute.networkAdmin )
  • Compute Organization Firewall Policy Admin role ( roles/compute.orgFirewallPolicyAdmin )

• Enable the Compute Engine and Identity-Aware Proxy (IAP) APIs.

  Roles required to enable APIs

  To enable APIs, you need the Service Usage Admin IAM role ( roles/serviceusage.serviceUsageAdmin ), which contains the serviceusage.services.enable permission. Learn how to grant roles .

  Enable the APIs

Create a folder

Create a folder in your organization.

1. In the Google Cloud console, go to the Manage resourcespage.

   Go to Manage resources

2. Click Create folder.

3. For Folder name, enter test-folder .

4. In the Organizationlist, select the name of your organization resource.

5. In the Locationfield, click Browse, and then select your organization resource.

6. Click Create.

Create a project

Create a project in the folder that you created in the preceding section.

1. In the Google Cloud console, go to the Manage resourcespage.

   Go to Manage resources

2. Click Create project.

3. For Project name, enter test-project .

4. Select a billing account for the project.

5. In the Organizationlist, select the name of your organization resource.

6. In the Locationfield, click Browse, expand your organization resource name, and then select test-folder.

7. Click Create.

Create two custom VPC networks with IPv4 subnets

Create two custom mode VPC networks, myvpc with an IPv4-only subnet and test-vpc with two IPv4-only subnets, in the project that you created in the preceding section.

1. In the Google Cloud console, on the project selector page, select test-project.

   Go to project selector

2. In the Google Cloud console, go to the VPC networkspage.

   Go to VPC networks

3. Click Create VPC network.

4. For Name, enter myvpc .

5. For Subnet creation mode, select Custom.

6. In the New subnetsection, specify the following configuration parameters for a subnet:

   • Name: Enter myvpc-subnet-1 .
   • Region: Select us-central1.
   • IPv4 range: Enter 10.0.0.0/24 .

7. Click Done, and then click Create.

8. To create another VPC network, click Create VPC network.

9. For Name, enter test-vpc .

10. For Subnet creation mode, select Custom.

11. In the New subnetsection, specify the following configuration parameters for the subnet, and then click Done:

    • Name: Enter testvpc-subnet-1 .
    • Region: Select us-central1.
    • IPv4 range: Enter 10.0.0.0/16 .

12. To add another subnet to the test-vpc network, click Add subnet.

13. In the New subnetsection, specify the following configuration parameters for the subnet, and then click Done:

    • Name: Enter testvpc-subnet-ext .
    • Region: Select us-central1.
    • IPv4 range: Enter 192.168.1.0/24 .

14. Click Create.

Create VMs

Create three VMs in the subnets that you configured in the preceding section.

Create a VM in the myvpc network

Create a VM without an external IP address in the myvpc network.

1. In the Google Cloud console, go to the Create an instancepage.

   Go to Create an instance

2. In the Machine configurationpane, do the following:

   1. For Name, enter myvpc-vm .
   2. For Region, select us-central1 (Iowa) .

3. In the navigation menu, click Networking.

   1. In the Network interfacessection, click default and specify the following configuration parameters:
      • Network: myvpc
      • Subnetwork: subnet-1 IPv4 (10.0.0.0/24)
      • External IPv4 address: None
   2. Click Done.

4. Click Create.

Create two VMs in the test-vpc network

Create two VMs, one without an external IP address and another with an external IP address. When you create the VM with an external IP address, pass a startup script to install and start an Apache web server in that VM.

Create a VM without an external IP address:

1. In the Google Cloud console, go to the Create an instancepage.

   Go to Create an instance

2. In the Machine configurationpane, do the following:

   1. For Name, enter testvpc-vm .
   2. For Region, select us-central1 (Iowa) .

3. In the navigation menu, click Networking.

   1. In the Network interfacessection, click default and specify the following configuration parameters:
      • Network: test-vpc
      • Subnetwork: testvpc-subnet-1 IPv4 (10.0.0.0/16)
      • External IPv4 address: None
   2. Click Done.

4. Click Create.

Create a VM with an ephemeral external IP address, and pass a startup script to install and start an Apache web server:

1. In the Google Cloud console, go to the Create an instancepage.

   Go to Create an instance

2. In the Machine configurationpane, do the following:

   1. For Name, enter testvpc-apache-vm .
   2. For Region, select us-central1 (Iowa) .

3. In the navigation menu, click Networking.

   1. In the Network interfacessection, click default and specify the following configuration parameters:
      • Network: test-vpc
      • Subnetwork: testvpc-subnet-ext IPv4 (192.168.1.0/24)
      • External IPv4 address: Ephemeral
   2. Click Done.

4. In the navigation menu, click Advancedand enter the following script in the Startup scriptfield:

     #! /bin/bash 
   apt-get  
   update
   apt-get  
   install  
   apache2  
   -y
   a2ensite  
   default-ssl
   a2enmod  
   ssl # Read VM network configuration: 
    md_vm 
    = 
    "http://169.254.169.254/computeMetadata/v1/instance/" 
    vm_hostname 
    = 
    " 
    $( 
   curl  
    $md_vm 
   /name  
   -H  
    "Metadata-Flavor:Google" 
     
    ) 
    " 
    filter 
    = 
    "{print \$NF}" 
    vm_network 
    = 
    " 
    $( 
   curl  
    $md_vm 
   /network-interfaces/0/network  
    \ 
   -H  
    "Metadata-Flavor:Google" 
     
    | 
     
   awk  
   -F/  
    " 
    ${ 
    filter 
    } 
    " 
    ) 
    " 
    vm_zone 
    = 
    " 
    $( 
   curl  
    $md_vm 
   /zone  
    \ 
   -H  
    "Metadata-Flavor:Google" 
     
    | 
     
   awk  
   -F/  
    " 
    ${ 
    filter 
    } 
    " 
    ) 
    " 
    # Apache configuration: 
    echo 
     
    "Page on 
    $vm_hostname 
    in network 
    $vm_network 
    zone 
    $vm_zone 
    " 
     
    | 
     
    \ 
   tee  
   /var/www/html/index.html
   systemctl  
   restart  
   apache2 
   

   The preceding script deploys and starts an Apache web server in this VM.

5. Click Create.

6. Note the ephemeral external IP address assigned to this VM from the VM instancespage. You need this external IP address later.

Create a Cloud Router and a Cloud NAT gateway

In the previous section, in the myvpc network, you created the myvpc-vm VM without any external IP address. To enable the myvpc-vm VM to access the Apache web server running in testvpc-apache-vm over the public internet, create a Cloud Router and a Cloud NAT gateway on the same subnet where you created your myvpc-vm VM.

1. In the Google Cloud console, go to the Cloud NATpage.

   Go to Cloud NAT

2. Click Get startedor Create Cloud NAT gateway.

   Note:If this is the first Cloud NAT gateway that you're creating, click Get started. If you already have existing gateways, Google Cloud displays the Create Cloud NATgateway button. To create another gateway, click Create Cloud NATgateway.

3. For Gateway name, enter myvpc-gateway .

4. For NAT type, select Public.

5. In the Select Cloud Routersection, specify the following configuration parameters:

   • Network: Select myvpc.
   • Region: Select us-central1 (Iowa).
   • Cloud Router: Click Create new router.
     1. For Name, enter myvpc-router .
     2. Click Create.

6. Click Create.

Create a hierarchical firewall policy and add firewall rules

Create a hierarchical firewall policy and add the following firewall policy rules to it:

• Enable IAP for all the VMs in test-folder to enable administrative access to the VMs.
• Allow ingress traffic to all VMs in the test-vpc network.
• Delegate the egress traffic from the myvpc network to the next rule in the hierarchy, which is the VPC firewall implied IPv4 rule egress all rule .
• Deny egress traffic originating from all other VPC networks in test-folder .

To create a hierarchical firewall policy, follow these steps:

1. In the Google Cloud console, go to the project selector page and select test-folder.

   Go to project selector

2. In the Google Cloud console, go to the Firewall policiespage.

   Go to Firewall policies

3. Click Create firewall policy.

4. In the Configure policysection, for Policy name, enter fw-egress-specific-vpc .

5. For Description, enter example-firewall-policy .

6. Click Continue.

7. In the Add rulessection, click Continue. You will add the firewall rules in the subsequent sections of this quickstart.

8. In the Associate policy with resourcessection, click Add.

9. Expand your organization, select test-folder, and then click Add.

10. Click Create.

Add a firewall rule to enable IAP in all the VMs in the test-folder

To enable IAP to connect to all the VMs in the test-folder , you need a firewall rule in the hierarchical firewall policy with the following characteristics:

• Applies to all VMs in the test-folder that you want to be accessible by using IAP TCP forwarding.
• Allows ingress traffic from the IP address range 35.235.240.0/20 . This range contains all the IP addresses that IAP uses for TCP forwarding.
• Allows connections to all ports that you want to be accessible by using IAP TCP forwarding, for example, port 22 for SSH.

To add the firewall rule, follow these steps:

1. In the Google Cloud console, go to the Firewall policiespage.

   Go to Firewall policies

2. Click fw-egress-specific-vpc, and then click Add rule.

3. For Priority, enter 100 .

4. For Description, enter enable-iap .

5. For Direction of traffic, select Ingress.

6. For Action on match, select Allow.

7. In the Sourcesection, for IP ranges, enter 35.235.240.0/20 .

8. In the Protocols and portssection, select Specified protocols and ports.

9. Select the TCPcheckbox, and for Ports, enter 22 .

10. Click Create.

Add a firewall rule to allow ingress traffic in the test-vpc network

Add a firewall rule to allow incoming HTTP web traffic on TCP port 80 to all VMs in the test-vpc network:

1. In the Google Cloud console, go to the Firewall policiespage.

   Go to Firewall policies

2. Click fw-egress-specific-vpcand then click Add rule.

3. For Priority, enter 200 .

4. For Description, enter allow-ingress-testvpc .

5. For Direction of traffic, select Ingress.

6. For Action on match, select Allow.

7. In the Targetsection, click Add network.

8. Select the test project that contains the test-vpc network, and then select test-vpcas the network.

9. In the Sourcesection, for IP ranges, enter 0.0.0.0/0 .

10. In the Protocols and portssection, select Specified protocols and ports.

11. Select the TCPcheckbox, and for Ports, enter 80 .

12. Click Create.

Add a firewall rule to delegate the egress traffic from the myvpc network to the next rule in the hierarchy

Add a firewall rule that uses the goto_next action to delegate the egress traffic from the myvpc network to the next rule in the firewall, which is the implied IPv4 allow egress VPC firewall rule.

1. In the Google Cloud console, go to the Firewall policiespage.

   Go to Firewall policies

2. Click fw-egress-specific-vpcand then click Add rule.

3. For Priority, enter 300 .

4. For Description, enter delegate-egress-myvpc .

5. For Direction of traffic, select Egress.

6. For Action on match, select Go to next.

7. In the Targetsection, click Add network.

8. Select the test project name that contains myvpc , and then select myvpc as the network.

9. In the Destinationsection, for IP ranges, enter the ephemeral external IP address for the VM running the Apache web server. You have noted this IP address in the Create two VMs in the test-vpc network section.

10. Click Create.

Add a firewall rule to deny egress traffic originating from all other VPC networks

Finally, add a firewall rule that denies traffic egressing from all other VPC networks in test-folder .

1. In the Google Cloud console, go to the Firewall policiespage.

   Go to Firewall policies

2. Click fw-egress-specific-vpc, and then click Add rule.

3. For Priority, enter 400 .

4. For Description, enter block-egress-all-traffic .

5. For Direction of traffic, select Egress.

6. For Action on match, select Deny.

7. In the Destinationsection, for IP ranges, enter 0.0.0.0/0 .

8. Click Create.

Test the hierarchical firewall policy

After you have configured the hierarchical firewall policy, follow these steps to test the policy:

1. Go to the Google Cloud console.

   Go to Google Cloud console

2. From the project picker at the top of the page, select test-project where you have created the VPC networks .

3. In the Google Cloud console, go to the VM instancespage.

   Go to VM instances

4. In the Connectcolumn for myvpc-vm , click SSH.

5. In the SSH-in-browserdialog, click Authorizeand wait for the connection to establish.

6. To verify that the egress traffic to testvpc-apache-vm from myvpc is allowed, run the following command:

   curl < external_ephemeral_IP_testvpc_apache_vm 
   > -m 2

   The preceding command returns the content that you have specified for the index.html page of the Apache web server, which means that egress connections from myvpc are allowed.

7. To verify that the egress traffic is blocked from any other VPC network in the organization, do the following:

   1. In the Google Cloud console, go to the VM instancespage.

      Go to VM instances

   2. In the Connectcolumn for testvpc-vm , click SSH.

   3. In the SSH-in-browserdialog, click Authorize, and wait for the connection to establish.

   4. To verify that the egress traffic from testvpc-vm to testvpc-apache-vm is blocked, run the following command:

      curl < internal_IP_testvpc_apache_vm 
      > -m 2

      The preceding command returns a Connection timed out message, which is expected because you created a firewall rule to deny egress traffic from all VPC networks in the organization except from myvpc .

Clean up

To avoid incurring charges to your Google Cloud account for the resources used in this quickstart, delete the individual resources, and then delete the project and the folder.

To delete the resources created in this quickstart, complete the following tasks.

Delete the hierarchical firewall policy

1. Go to the Google Cloud console.

   Go to Google Cloud console

2. From the project picker at the top of the page, select test-folder where you created your resources for this quickstart.

3. In the Google Cloud console, go to the Firewall policiespage.

   Go to Firewall policies

4. In the Firewall policies associated with this node or inherited by the nodesection, click fw-egress-specific-vpc.

5. Click the Associationstab.

6. Select the checkbox for test-folder, and click Remove association.

7. In the Remove association with test-folder dialog, click Delete.

8. Click Delete.

9. In the Delete fw-egress-specific-vpc dialog, click Delete

Delete the VMs

1. Go to the Google Cloud console.

   Go to Google Cloud console

2. From the project picker at the top of the page, select test-project.

3. In the Google Cloud console, go to the VM instancespage.

   Go to VM instances

4. Select the checkboxes for myvpc-vm, testvpc-vm, and testvpc-apache-vm.

5. Click Delete.

6. In the Delete instance 3 instancesdialog, click Delete.

Delete the Cloud Router and the Cloud NAT gateway

1. In the Google Cloud console, go to the Cloud routerspage.

   Go to Cloud routers

2. Select the checkbox for myvpc-router.

3. Click Delete.

4. In the Delete myvpc-router dialog, click Delete.

When you delete a Cloud Router, the associated Cloud NAT gateway is also deleted.

Delete the VPC network and its subnets

1. In the Google Cloud console, go to the VPC networkspage.

   Go to VPC networks

2. In the Namecolumn, click myvpc.

3. Click Delete VPC network.

4. In the Delete a networkdialog, click Delete.

   Similarly, delete the test-vpc network.

When you delete a VPC network, its subnets are also deleted.

Delete the project

1. In the Google Cloud console, go to the Manage resources page.

   Go to Manage resources

2. If the project that you plan to delete is attached to an organization, expand the Organization list in the Name column.
3. In the project list, select the project that you want to delete, and then click Delete .
4. In the dialog, type the project ID, and then click Shut down to delete the project.

Delete the folder

1. In the Google Cloud console, go to the Manage resourcespage.

   Go to Manage resources

2. If the folder that you plan to delete is attached to an organization, expand the Organizationlist in the Namecolumn.

3. In the folder list, select test-folder, and then click Delete.

4. In the dialog, type the folder ID, and then click Delete anywayto delete the project.

What's next

• For firewall policies concepts, see the Firewall policies overview .
• For firewall policy rules concepts, see the Firewall policy rules overview .
• To create, update, monitor, and delete VPC firewall rules, see Use VPC firewall rules .
• To determine costs, see Cloud NGFW pricing .