Configuring firewall rules

This page provides guidance for configuring Google Cloud firewall rules and your peer network firewall rules.

When you configure Cloud VPN tunnels to connect to your peer network, you should review and modify firewall rules in your Google Cloud and peer networks to make sure that they meet your needs. If your peer network is another Virtual Private Cloud (VPC) network, then configure Google Cloud firewall rules for both sides of the network connection.

Google Cloud firewall rules

Google Cloud firewall rules apply to packets sent to and from virtual machine (VM) instances within your VPC network and through Cloud VPN tunnels.

The implied allow egress rule allows VM instances and other resources in your Google Cloud network to make outgoing requests and receive established responses, but the implied deny ingress rule blocks all incoming traffic to your Google Cloud resources.

At minimum, you need to create firewall rules to allow ingress traffic from your peer network to Google Cloud. You may also need to create egress rules if you have created other egress rules to deny certain types of traffic.

Traffic containing the protocols UDP 500, UDP 4500, and ESP (IPSec, IP protocol 50) is always allowed to and from one or more external IP addresses on a Cloud VPN gateway. However, Google Cloud firewall rules do not apply to the post-encapsulated IPSec packets that are sent from a Cloud VPN gateway to a peer VPN gateway.

For more information about Google Cloud firewall rules, see the Firewalls Rules Overview.

Example configurations

For multiple examples of restricting ingress or egress traffic, refer to the firewall configuration examples in the VPC documentation.

The following example creates an ingress allow firewall rule. This rule permits all TCP, UDP, and ICMP traffic from your peer network's CIDR to your VMs in your VPC network.

Console

  1. Go to the VPN tunnels page in the Google Cloud Console.
    Go to the VPN tunnels page
  2. Click the VPN tunnel that you want to use.
  3. In the VPN gateway section, click the name of VPC network. This directs you to the VPC network details page that contains the tunnel.
  4. Select the Firewall rules tab.
  5. Click Add firewall rule. Add a rule for TCP, UDP, and ICMP:
    • Name: allow-tcp-udp-icmp
    • Source filter: IP ranges.
    • Source IP ranges: Remote Network IP Range value from when you created the tunnel. If you have more than one peer network range, enter each one. Press the Tab key between entries.
    • Allowed protocols or ports: tcp; udp; icmp
    • Target tags: Any valid tag or tags.
  6. Click Create.
  7. Create other firewall rules if necessary.

Alternatively, you can create rules from the Firewall rules page in the Google Cloud console.

  1. Go to the Firewall rules page page.
  2. Click Create firewall rule.
  3. Populate the following fields:
    • Name: vpnrule1
    • VPC network: my-network
    • Source filter: IP ranges.
    • Source IP ranges: The peer network's IP address ranges to accept from the peer VPN gateway.
    • Allowed protocols and ports: tcp;udp;icmp
  4. Click Create.

gcloud

  gcloud  compute --project PROJECT_ID firewall-rules create vpnrule1 \
    --network NETWORK \
    --allow tcp,udp,icmp \
    --source-ranges PEER_SOURCE_RANGE

If you have more than one peer network range, provide a comma-separated list in the source-ranges field (--source-ranges 192.168.1.0/24,192.168.2.0/24).

See the gcloud firewall rules documentation for more information about the firewall-rules command.

Peer firewall rules

When configuring your peer firewall rules, consider the following:

  • You should configure rules to allow egress and ingress traffic to and from the IP ranges used by the subnets in your VPC network.
  • You may choose to permit all protocols and ports, or you may restrict traffic to only the necessary set of protocols and ports to meet your needs.
  • You must allow ICMP traffic if you need to be able to communicate among peer systems and instances or resources in Google Cloud using ping.
  • Remember that on-premise firewall rules can be implemented by both your network devices (for example, security appliances, firewall devices, switches, routers, and gateways) and in software running on your systems (such as firewall software included with an operating system). All firewalls in the path to your VPC network must be configured appropriately to allow traffic.
  • If your VPN tunnel uses dynamic (BGP) routing, make sure that you allow BGP traffic for the link-local IP addresses. Refer to the next section for more details.

BGP considerations for peer gateways

Dynamic (BGP) routing exchanges route information using TCP port 179. Some VPN gateways, including Cloud VPN gateways, allow this traffic automatically when you choose dynamic routing. If your peer VPN gateway does not, you must configure it to allow incoming and outgoing traffic on TCP port 179. All BGP IP addresses use the link-local 169.254.0.0/16 CIDR block.

If your peer VPN gateway is not directly connected to the Internet, make sure that it and peer routers, firewalls, and security appliances are configured to at least pass BGP traffic (TCP port 179) and ICMP traffic to your VPN gateway. ICMP is not required, but is useful to test connectivity between a Cloud Router and your VPN gateway. The range of IP addresses to which your peer firewall rule should apply must include the BGP IP address of the Cloud Router and the BGP IP address of your gateway.

What's next