Manual provisioning of firewall rules for a Google Distributed Cloud (GDC) air-gapped appliance instance is required due to the static allocation of the management network along with the minimal network traffic footprint.
You must manually apply host-based firewall policies for the network traffic
flows in the management network of GDC air-gapped appliance. To apply port
and IP filtering rules on network interfaces of the bare metal machines, use the
Uncomplicated Firewall (ufw
) command library.
Apply firewall rules
The management network for GDC air-gapped appliance is eno1
. The static IP
addresses of the GDC air-gapped appliance machines are as follows:
Machine name | IP address |
---|---|
xx-aa-bm01 | 198.18.255.228 (root admin/org admin) |
xx-aa-bm02 | 198.18.255.229 |
xx-aa-bm03 | 198.18.255.230 |
To apply the firewall rules to the management network, follow these steps:
Establish a Secure Shell (SSH) connection from the bootstrapper machine or laptop to the bm01 machine using the default SSH key provided by Google.
ssh 198.18.255.228
Configure the default routes on the management interface of bm01:
sudo ufw default allow outgoing sudo ufw default allow incoming
Configure the policies on the bm01 root admin nodes. These policies allowlist traffic on the management network between the various devices in GDC air-gapped appliance. The policies also allowlist SSH access from all bare metal machines along with the bootstrapper machine or laptop:
sudo ufw allow in on eno1 from 198.18.255.229 to 198.18.255.228 port 6385 proto tcp sudo ufw allow in on eno1 from 198.18.255.230 to 198.18.255.228 port 6385 proto tcp sudo ufw allow in on eno1 from 198.18.255.229 to 198.18.255.228 port 6180 proto tcp sudo ufw allow in on eno1 from 198.18.255.230 to 198.18.255.228 port 6180 proto tcp sudo ufw allow in on eno1 from 198.18.255.229 to 198.18.255.228 port 5050 proto tcp sudo ufw allow in on eno1 from 198.18.255.230 to 198.18.255.228 port 5050 proto tcp sudo ufw allow in on eno1 from 198.18.255.229 to 198.18.255.228 port 67 proto udp sudo ufw allow in on eno1 from 198.18.255.230 to 198.18.255.228 port 67 proto udp sudo ufw allow in on eno1 from 198.18.255.229 to 198.18.255.228 port 69 proto udp sudo ufw allow in on eno1 from 198.18.255.230 to 198.18.255.228 port 69 proto udp sudo ufw allow in on eno1 from 198.18.255.225 to 198.18.255.228 port 69 proto udp sudo ufw allow in on eno1 from 198.18.255.229 to 198.18.255.228 port 22 proto tcp sudo ufw allow in on eno1 from 198.18.255.230 to 198.18.255.228 port 22 proto tcp sudo ufw allow in on eno1 from 198.18.255.254 to 198.18.255.228 port 22 proto tcp sudo ufw allow in on eno1 from 198.18.255.229 to 198.18.255.228 port 123 proto udp sudo ufw allow in on eno1 from 198.18.255.230 to 198.18.255.228 port 123 proto udp sudo ufw deny in on eno1
Enable the
ufw
policies on bm01:sudo ufw enable
Disconnect your SSH Session from bm01.
Establish a Secure Shell (SSH) connection from the bootstrapper machine or laptop to the bm02 machine using the default SSH key provided by Google.
ssh 198.18.255.229
Configure the default routes on the management interface of bm02:
sudo ufw default allow outgoing sudo ufw default allow incoming
Configure the policies on the bm02 org node:
sudo ufw allow in on eno1 from 198.18.255.228 to 198.18.255.229 port 443 proto tcp sudo ufw allow in on eno1 from 198.18.255.228 to 198.18.255.229 port 67 proto udp sudo ufw allow in on eno1 from 198.18.255.228 to 198.18.255.229 port 68 proto udp sudo ufw allow in on eno1 from 198.18.255.228 to 198.18.255.229 port 22 proto tcp sudo ufw allow in on eno1 from 198.18.255.254 to 198.18.255.229 port 22 proto tcp sudo ufw deny in on eno1
Enable the
ufw
policies on bm02:sudo ufw enable
Disconnect your SSH Session from bm02.
Establish a Secure Shell (SSH) connection from the bootstrapper machine or laptop to the bm03 machine using the default SSH key provided by Google.
ssh 198.18.255.230
Configure the default routes on the management interface of bm03:
sudo ufw default allow outgoing sudo ufw default allow incoming
Configure the policies on the bm03 org node:
sudo ufw allow in on eno1 from 198.18.255.228 to 198.18.255.230 port 443 proto tcp sudo ufw allow in on eno1 from 198.18.255.228 to 198.18.255.230 port 67 proto udp sudo ufw allow in on eno1 from 198.18.255.228 to 198.18.255.230 port 68 proto udp sudo ufw allow in on eno1 from 198.18.255.228 to 198.18.255.230 port 22 proto tcp sudo ufw allow in on eno1 from 198.18.255.254 to 198.18.255.230 port 22 proto tcp sudo ufw deny in on eno1
Enable the
ufw
policies:sudo ufw enable