This page describes the commands for working with firewall rules and offers some examples in using them.
Before you begin
Refer to the Firewall rules overview, to learn more about firewall rules, such as implied rules and system-generated rules for default networks.
Before configuring firewall rules, review the firewall rule components to become familiar with firewall components as used in Google Cloud.
Creating firewall rules
Firewall rules are defined at the network level, and only apply to the network where they are created; however, the name you choose for each of them must be unique to the project.
When you create a firewall rule, you can choose to enable Firewall Rules Logging. If you enable logging, you can omit metadata fields to save storage costs. For more information, see Using Firewall Rules Logging.
Console
- Go to the Firewall page in the Google Cloud Console.
Go to the Firewall page - Click Create firewall rule.
- Enter a Name for the firewall rule.
This name must be unique for the project. - (Optional) You can enable firewall rules
logging:
- Click Logs > On.
- To omit metadata, expand Logs details and then clear Include metadata.
- Specify the Network for the firewall rule.
- Specify the Priority of the rule.
The lower the number, the higher the priority. - For the Direction of traffic, choose ingress or egress.
- For the Action on match, choose allow or deny.
- Specify the Targets of the rule.
- If you want the rule to apply to all instances in the network, choose
All instances in the network
. - If you want the rule to apply to select instances by network (target)
tags, choose
Specified target tags
, then type the tags to which the rule should apply into the Target tags field. - If you want the rule to apply to select instances by associated
service account, choose
Specified service account
, indicate whether the service account is in the current project or another one under Service account scope, and choose or type the service account name in the Target service account field.
- If you want the rule to apply to all instances in the network, choose
- For an ingress rule, specify the Source filter:
- Choose
IP ranges
and type the CIDR blocks into the Source IP ranges field to define the source for incoming traffic by IP address ranges. Use0.0.0.0/0
for a source from any network. - To limit source by network tag, choose
Source tags
, then type the network tags in to the Source tags field. For the limit on the number of source tags, see VPC Quotas and Limits. Filtering by source tag is only available if the target is not specified by service account. For more information, see filtering by service account versus network tag. - To limit source by service account, choose
Service account
, indicate whether the service account is in the current project or another one under Service account scope, and choose or type the service account name in the Source service account field. Filtering by source service account is only available if the target is not specified by network tag. For more information, see filtering by service account versus network tag. - Specify a Second source filter if desired. Secondary source filters cannot use the same filter criteria as the primary one. Source IP ranges can be used together with either Source tags or Source service account, the effective source set is the union of the source range IP addresses and the instances identified by network tags (or service accounts).
- Source tags and Source service account can't be used together.
- Choose
- For an egress rule, specify the Destination filter:
- Choose
IP ranges
and type the CIDR blocks into the Destination IP ranges field to define the destination for outgoing traffic by IP address ranges. Use0.0.0.0/0
to mean everywhere.
- Choose
Define the Protocols and ports to which the rule applies:
Select
Allow all
orDeny all
, depending on the action, to have the rule apply to all protocols and destination ports.Define specific protocols and destintion ports:
- Select tcp to include the TCP protocol and destination
ports. Enter
all
or a comma-delimited list of destination ports, such as20-22, 80, 8080
. - Select udp to include the UDP protocol and destination
ports. Enter
all
or a comma-delimited list of destination ports, such as67-69, 123
. - Select Other protocols to include protocols such as
icmp
orsctp
.
- Select tcp to include the TCP protocol and destination
ports. Enter
(Optional) You can create the firewall rule but not enforce it by setting its enforcement state to disabled. Click Disable rule, then select Disabled.
Click Create.
gcloud
The gcloud
command for creating firewall rules is:
gcloud compute firewall-rules create NAME \ [--network NETWORK; default="default"] \ [--priority PRIORITY;default=1000] \ [--direction (ingress|egress|in|out); default="ingress"] \ [--action (deny | allow )] \ [--target-tags TAG[,TAG,...]] \ [--target-service-accounts=IAM_SERVICE_ACCOUNT[,IAM_SERVICE_ACCOUNT,...]] \ [--source-ranges CIDR_RANGE[,CIDR_RANGE,...]] \ [--source-tags TAG,TAG,] \ [--source-service-accounts=IAM_SERVICE_ACCOUNT[,IAM_SERVICE_ACCOUNT,...]] \ [--destination-ranges CIDR_RANGE[,CIDR_RANGE,...]] \ [--rules (PROTOCOL[:PORT[-PORT]],[PROTOCOL[:PORT[-PORT]],...]] | all ) \ [--disabled | --no-disabled] \ [--enable-logging | --no-enable-logging] \ [--logging-metadata LOGGING_METADATA]
Use the parameters as follows. More details about each are available in the SDK reference documentation.
--network
The network for the rule. If omitted, the rule is created in thedefault
network. If you don't have a default network or want to create the rule in a specific network, you must use this field.--priority
A numerical value that indicates the priority for the rule. The lower the number, the higher the priority.--direction
The direction of traffic, eitheringress
oregress
.--action
The action on match, eitherallow
ordeny
. Must be used with the--rules
flag.- Specify a target in one of three ways:
- For an ingress rule, specify a
source:
- Omit
--source-ranges
,source-tags
, and--source-service-accounts
if the ingress source should be everywhere,0.0.0.0/0
. --source-ranges
Use this flag to specify ranges of source IP addresses in CIDR format.--source-tags
Use this flag to specify source instances by network tags. Filtering by source tag is only available if the target is not specified by service account. For more information, see filtering by service account versus network tag.--source-ranges
and--source-tags
can be used together. If both are specified, the effective source set is the union of the source range IP addresses and the instances identified by network tags, even if the tagged instances do not have IPs in the source ranges.--source-service-accounts
Use this flag to specify instances by the service accounts they use. Filtering by source service account is only available if the target is not specified by network tag. For more information, see filtering by service account versus network tag.--source-ranges
and--source-service-accounts
can be used together. If both are specified, the effective source set is the union of the source range IP addresses and the instances identified by source service accounts, even if the instances identified by source service accounts do not have IPs in the source ranges.
- Omit
- For an egress rule, specify a
destination:
- Omit
--destination-ranges
if the egress destination should be anywhere,0.0.0.0/0
. --destination-ranges
Use this flag to specify ranges of destination IP addresses in CIDR format.
- Omit
--rules
A list of protocols and destination ports to which the rule applies. Useall
to make the rule applicable to all protocols and all destination ports. Requires the--action
flag.- By default, firewall rules are created and enforced automatically;
however, you can change this behavior.
- If both
--disabled
and--no-disabled
are omitted, the firewall rule is created and enforced. --disabled
Add this flag to create the firewall rule but not enforce it. The firewall rule remains disabled until you update the firewall rule to enable it.--no-disabled
Add this flag to ensure the firewall rule is enforced.
- If both
--enable-logging | --no-enable-logging
You can enable Firewall Rules Logging for a rule when you create or update it. Firewall Rules Logging allows you audit, verify, and analyze the effects of your firewall rules. See Firewall Rules Logging for details.--logging-metadata
If you enable logging, by default, Firewall Rules Logging includes base and metadata fields. You can omit metadata fields to save storage costs. For more information, see Using Firewall Rules Logging.
API
Create a firewall rule.
POST https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/firewalls { "name": "FIREWALL_NAME", "network": "projects/PROJECT-ID/global/networks/NETWORK_NAME", ... other fields }
Replace the placeholders with valid values:
PROJECT_ID
is the ID of the project where the VPC network is located.NETWORK_NAME
is the name the VPC network where the firewall rule is created.FIREWALL_NAME
a name for the firewall rule.For an ingress firewall rule, use the following fields to specify the ingress source:
sourceRanges
,sourceTags
, orsourceServiceAccounts
. Specify no field to use the range0.0.0.0/0
. You cannot use thesourceTags
andsourceServiceAccounts
fields together. However, you can usesourceRanges
withsourceTags
orsourceServiceAccounts
. If you do, the connection just needs to match one or the other for the firewall rule to apply.For the target fields, if you use the
sourceTags
field, you cannot use thetargetServiceAccounts
field. You must use thetargetTags
field or no target field. Similarly, if you use thesourceServiceAccounts
field, you cannot use thetargetTags
field. If you don't specify a target field, the rule applies to all targets in the network.For an egress firewall rule, use the
destinationRanges
field to specify the destination. If you don't specify a destination, Google Cloud uses0.0.0.0/0
. Use thetargetTags
ortargetServiceAccounts
field to specify which targets the rule applies to. If you don't specify a target field, the rule applies to all targets in the network.
For more information and descriptions for each field, refer to the
firewalls.insert
method.
Updating firewall rules
You can modify some components of a firewall rule, such as the specified protocols and destination ports for the match condition. You cannot modify a firewall rule's name, network, the action on match, and the direction of traffic.
If you need to change the name, network, or the action or direction component, you must delete the rule and create a new one instead.
Console
- Go to the Firewall page in the Google Cloud Console.
Go to the Firewall page - Click the firewall rule you want to modify.
- Click Edit.
Modify any of the editable components to meet your needs.
In the Specified protocols and ports field, use a semicolon-delimited list to specify multiple protocols and protocol-and-destination-port combinations.
Click Save.
gcloud
The gcloud
command for updating firewall rules is:
gcloud compute firewall-rules update NAME \ [--priority=PRIORITY] \ [--description=DESCRIPTION] \ [--target-tags=TAG,...] \ [--target-service-accounts=IAM_SERVICE_ACCOUNT,_] \ [--source-ranges=CIDR_RANGE,...] \ [--source-tags=TAG,...] \ [--source-service-accounts=IAM_SERVICE_ACCOUNT,_] \ [--destination-ranges=CIDR_RANGE,...] \ [--rules=[PROTOCOL[:PORT[-PORT]],…]] \ [--disabled | --no-disabled] \ [--enable-logging | --no-enable-logging]
The descriptions for each flag are the same as for creating firewall rules, and more details about each are available in the SDK reference documentation.
API
Use PATCH to update the following fields: allowed
, description
,
sourceRanges
, sourceTags
, or targetTags
. Use PUT or POST for all other
fields.
(PATCH|(POST|PUT)) https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/firewalls/FIREWALL_NAME { "name": "FIREWALL_NAME", "network": "projects/PROJECT-ID/global/networks/NETWORK_NAME", ... other fields }
Replace the placeholders with valid values:
PROJECT_ID
is the ID of the project where the VPC network is located.NETWORK_NAME
is the name the VPC network where the firewall rule is located.FIREWALL_NAME
is the name of the firewall rule to update.
For more information and descriptions for each field, refer to the
firewalls.patch
or
firewalls.update
method.
Listing firewall rules for a VPC network
In the Cloud Console, you can list all of the firewall rules for your project or for a particular VPC network. For each firewall rule, Cloud Console shows details such as the rule's type, targets, and filters.
If you enable
Firewall Rules Logging,
Firewall Insights can provide insights about your firewall rules
to help you better understand and safely optimize their configurations. For
example, you can view which allow
rules haven't been used in the last six weeks.
For more information, see Using the Firewall rules details
screen
in the Firewall Insights documentation.
Console
To show all firewall rules for all networks in your project:
- Go to the Firewall page in the Google Cloud Console.
Go to the Firewall page
To show firewall rules in a particular network:
- Go to the VPC networks page in the Google Cloud Console.
Go to the VPC networks page - Click the Name of a VPC network to go to its details page.
- On the details page for the network, click the Firewall rules tab.
gcloud
The following command produces a sorted list of firewall rules for a given
network ([NETWORK-NAME]
).
gcloud compute firewall-rules list --filter network=NETWORK_NAME \ --sort-by priority \ --format="table( name, network, direction, priority, sourceRanges.list():label=SRC_RANGES, destinationRanges.list():label=DEST_RANGES, allowed[].map().firewall_rule().list():label=ALLOW, denied[].map().firewall_rule().list():label=DENY, sourceTags.list():label=SRC_TAGS, targetTags.list():label=TARGET_TAGS )"
API
List all firewall rules for a given network.
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/firewalls/?filter=network="NETWORK_NAME
Replace the placeholders with valid values:
PROJECT_ID
is the ID of the project where the VPC network is located.NETWORK_NAME
is the name of the VPC network that contains the firewall rules to list.
For more information, refer to the
firewalls.list
method.
Listing firewall rules for a network interface of a VM instance
For each network interface, the Cloud Console lists all of the firewall rules that apply to the interface and the rules that are actually being used by the interface. Firewall rules can mask other rules, so all of the rules that apply to an interface might not actually be used by the interface.
Firewall rules are associated and applied to a VM instances through a rule's target parameter. By viewing all of the applied rules, you can check whether a particular rule is being applied to an interface.
If you enable Firewall Rules Logging, Firewall Insights can provide insights about your firewall rules to help you better understand and safely optimize their configurations. For example, you can view which rules on an interface were hit in the last six weeks. For more information, see Using the VM network interface details screen in the Firewall Insights documentation.
To view all of the firewall rules that apply to a specific network interface of a VM instance:
- Go to the VM instances page in the Google Cloud Console and find the instance
to view.
Go to the VM instances page - In the instance's more actions menu (
), select View network details.
- If an instance has multiple network interfaces, select the network interface to view in the Network interface details section.
- Click the Firewall rules tab to see all the rules that apply to the network interface, sorted by rule name.
Of the rules that apply to a network interface, the interface might not use all of them. Some rules might be overridden by a rule with a more specific range or a higher priority. By viewing the rules that are in use, you can quickly verify which IP ranges, protocols, and destination ports are open or closed on the instance.
To view the rules that are being used by a specific network interface of a VM instance:
- Go to the VM instances page in the Google Cloud Console and find the instance to
view.
Go to the VM instances page - In the instance's more actions menu (
), select View network details.
- If an instance has multiple network interfaces, select the network interface to view in the Network interface details section.
- In the Network Analysis section, select the Ingress analysis or Egress analysis tab.
- View the table, which is sorted from the most specific to least specific IP address range, to determine if traffic to or from a specific IP address is permitted.
Viewing firewall rules details
You can inspect a firewall rule to see its name, applicable network, and components, including whether the rule is enabled or disabled.
Console
- List your firewall rules. You can view a list of all rules or just those in a particular network.
- Click the rule to view.
gcloud
The following command describes an individual firewall rule. Replace
[FIREWALL-NAME]
with the name of the firewall rule. Because firewall
rule names are unique to the project, you don't have to specify a network
when describing an existing one.
gcloud compute firewall-rules describe [FIREWALL-NAME]
API
Describe a given firewall rule.
GET https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/firewalls/FIREWALL_NAME
Replace the placeholders with valid values:
PROJECT_ID
is the ID of the project where the firewall rule is located.FIREWALL_NAME
is the name of the firewall rule to describe.
For more information, refer to the
firewalls.get
method.
Deleting firewall rules
Console
- List your firewall rules. You can view a list of all rules or just those in a particular network.
- Click the rule to delete.
- Click Delete.
- Click Delete again to confirm.
gcloud
The following command deletes a firewall rule. Replace
[FIREWALL-NAME]
with the name of the rule to be deleted.
gcloud compute firewall-rules delete [FIREWALL-NAME]
API
Delete a firewall rule.
DELETE https://compute.googleapis.com/compute/v1/projects/PROJECT_ID/global/firewalls/FIREWALL_NAME
Replace the placeholders with valid values:
PROJECT_ID
is the ID of the project where the firewall rule is located.FIREWALL_NAME
is the name of the firewall rule to delete.
For more information, refer to the
firewalls.delete
method.
Monitoring firewall rules
You can enable logging for firewall rules to see which rule allowed or blocked which traffic. See Using Firewall Rules Logging for instructions.
Configuration examples
The diagram below demonstrates an example firewall configuration. The scenario
involves a my-network
that contains the following:.
- a subnet
subnet1
with IP range10.240.10.0/24
- a subnet
subnet2
with IP range192.168.1.0/24
- instance
vm1
insubnet2
having tagwebserver
and internal IP192.168.1.2
- instance
vm2
insubnet2
having tagdatabase
and internal IP192.168.1.3
Example 1: Deny all ingress TCP connections except those to port 80
from subnet1
This example creates a set of firewall rules that deny all ingress TCP
connections except connections destined to port 80
from subnet1
.
Create a firewall rule to deny all ingress TCP traffic to instances tagged with
webserver
.gcloud compute firewall-rules create deny-subnet1-webserver-access \ --network NETWORK_NAME \ --action deny \ --direction ingress \ --rules tcp \ --source-ranges 0.0.0.0/0 \ --priority 1000 \ --target-tags webserver
Create a firewall rule to allow all IPs in
subnet1
(10.240.10.0/24
) to access TCP port80
on instances tagged withwebserver
.gcloud compute firewall-rules create vm1-allow-ingress-tcp-port80-from-subnet1 \ --network NETWORK_NAME \ --action allow \ --direction ingress \ --rules tcp:80 \ --source-ranges 10.240.10.0/24 \ --priority 50 \ --target-tags webserver
Example 2: Deny all egress TCP connections except those to port 80
of vm1
Create a firewall rule to deny all egress TCP traffic.
gcloud compute firewall-rules create deny-all-access \ --network NETWORK_NAME \ --action deny \ --direction egress \ --rules tcp \ --destination-ranges 0.0.0.0/0 \ --priority 1000
Create firewall rule to allow TCP traffic destined to
vm1
port80
.gcloud compute firewall-rules create vm1-allow-egress-tcp-port80-to-vm1 \ --network NETWORK_NAME \ --action allow \ --direction egress \ --rules tcp:80 \ --destination-ranges 192.168.1.2/32 \ --priority 60
Example 3: Allow egress TCP connections to port 443
of an external host
Create a firewall rule that allows instances tagged with webserver
to send
egress TCP traffic to port 443
of a sample external IP address, 192.0.2.5
.
gcloud compute firewall-rules create vm1-allow-egress-tcp-port443-to-192-0-2-5 \ --network NETWORK_NAME \ --action allow \ --direction egress \ --rules tcp:443 \ --destination-ranges 192.0.2.5/32 \ --priority 70 \ --target-tags webserver
Example 4: Allow SSH connections from vm2
to vm1
Create firewall rule that allows SSH traffic from instances with tag
database
(vm2
) to reach instances with tag webserver
(vm1
).
gcloud compute firewall-rules create vm1-allow-ingress-tcp-ssh-from-vm2 \ --network NETWORK_NAME \ --action allow \ --direction ingress \ --rules tcp:22 \ --source-tags database \ --priority 80 \ --target-tags webserver
Example 5: Allow TCP:1443 from webserver to database using service accounts
For additional information on service accounts and roles, see Granting roles to service accounts.
Consider the scenario in the diagram below, in which there are two applications
that are autoscaled through templates, a webserver application my-sa-web
,
and a database application 'my-sa-db". A Security admin wants to allow TCP
flows to destination port 1443
from my-sa-web
to my-sa-db
.
The configuration steps, including the creation of the service accounts, is as follows:
A project EDITOR or project OWNER creates the service accounts
my-sa-web
andmy-sa-db
.gcloud iam service-accounts create my-sa-web \ --display-name "webserver service account"
gcloud iam service-accounts create my-sa-db \ --display-name "database service account"
A project OWNER assigns the webserver developer
web-dev@example.com
a serviceAccountUser role for service accountmy-sa-web
by setting an Identity and Access Management (IAM) policy.gcloud iam service-accounts add-iam-policy-binding \ my-sa-web@my-project.iam.gserviceaccount.com \ --member='user:web-dev@example.com' \ --role='roles/iam.serviceAccountUser'
A project OWNER assigns the database developer "db-dev@example.com" a serviceAccountUser role for service account
my-sa-db
by setting an IAM policy.gcloud iam service-accounts add-iam-policy-binding \ my-sa-db@my-project.iam.gserviceaccount.com \ --member='user:db-dev@example.com' \ --role='roles/iam.serviceAccountUser'
Developer
web-dev@example.com
, which has the Instance admin role, creates webserver instance template and authorize instances to run as service accountmy-sa-web
.gcloud compute instance-templates create [INSTANCE_TEMPLATE_NAME] \ --service-account my-sa-web@my-project-123.iam.gserviceaccount.com
Developer
db-dev@example.com
, which has the Instance Admin role, creates the database instance template and authorize instances to run as service accountmy-sa-db
.gcloud compute instance-templates create [INSTANCE_TEMPLATE_NAME] \ --service-account my-sa-db@my-project-123.iam.gserviceaccount.com
Security admin creates the firewall rules using service accounts to allow traffic
TCP:1443
from service accountmy-sa-web
to service accountmy-sa-db
.gcloud compute firewall-rules create FIREWALL_NAME \ --network network_a \ --allow TCP:1443 \ --source-service-accounts my-sa-web@my-project.iam.gserviceaccount.com \ --target-service-accounts my-sa-db@my-project.iam.gserviceaccount.com
Troubleshooting
Error messages when creating or updating a firewall rule
You may see one of the following error messages:
Should not specify destination range for ingress direction.
Destination ranges are not valid parameters for ingress firewall rules. Firewall rules are assumed to be ingress rules unless a direction of
egress
is specifically specified. If you create a rule that does not specify a direction, it is created as an ingress rule, which does not allow a destination range. Also, source ranges are not valid parameters for egress rules.Firewall direction cannot be changed once created.
You cannot change the direction of an existing firewall rule. You have to create a new rule with the correct parameters, then delete the old one.
Firewall traffic control action cannot be changed once created.
You cannot change the action of an existing firewall rule. You have to create a new rule with the correct parameters, then delete the old one.
Service accounts must be valid RFC 822 email addresses.
The service account specified in firewall rule must be an email address formatted per RFC 822.gcloud compute firewall-rules create bad --allow tcp --source-service-accounts invalid-email
Creating firewall...failed. ERROR: (gcloud.compute.firewall-rules.create) Could not fetch resource: – Invalid value for field 'resource.sourceServiceAccounts[0]': 'invalid-email'. Service accounts must be valid RFC 822 email addresses.
ServiceAccounts and Tags are mutually exclusive and can't be combined in the same firewall rule.
You cannot specify both service accounts and tags in the same rule.gcloud compute firewall-rules create bad --allow tcp --source-service-accounts test@google.com --target-tags target
Creating firewall...failed. ERROR: (gcloud.compute.firewall-rules.create) Could not fetch resource: – ServiceAccounts and Tags are mutually exclusive and can't be combined in the same firewall rule.
Cannot connect to VM instance
If you cannot connect to a VM instance, check your firewall rules.
If you are initiating the connection from another VM instance, list the egress firewall rules for that instance.
gcloud compute firewall-rules list --filter network=[NETWORK-NAME] \ --filter EGRESS \ --sort-by priority \ --format="table( name, network, direction, priority, sourceRanges.list():label=SRC_RANGES, destinationRanges.list():label=DEST_RANGES, allowed[].map().firewall_rule().list():label=ALLOW, denied[].map().firewall_rule().list():label=DENY, sourceTags.list():label=SRC_TAGS, sourceServiceAccounts.list():label=SRC_SVC_ACCT, targetTags.list():label=TARGET_TAGS, targetServiceAccounts.list():label=TARGET_SVC_ACCT )"
Check if the destination IP is denied by any egress rules. The rule with the highest priority (lowest priority number) overrides lower priority rules. For two rules with same priority, the deny rule takes precedence.
Check ingress firewall rule for the network that contains the destination VM instance.
gcloud compute firewall-rules list --filter network=[NETWORK-NAME] \ --filter INGRESS \ --sort-by priority \ --format="table( name, network, direction, priority, sourceRanges.list():label=SRC_RANGES, destinationRanges.list():label=DEST_RANGES, allowed[].map().firewall_rule().list():label=ALLOW, denied[].map().firewall_rule().list():label=DENY, sourceTags.list():label=SRC_TAGS, sourceServiceAccounts.list():label=SRC_SVC_ACCT, targetTags.list():label=TARGET_TAGS, targetServiceAccounts.list():label=TARGET_SVC_ACCT )"
Sample output. Your output will depend on your list of firewall rules
NAME NETWORK DIRECTION PRIORITY SRC_RANGES DEST_RANGES ALLOW DENY SRC_TAGS SRC_SVC_ACCT TARGET_TAGS TARGET_SVC_ACCT default-allow-icmp default INGRESS 65534 0.0.0.0/0 icmp default-allow-internal default INGRESS 65534 10.128.0.0/9 tcp:0-65535,udp:0-65535,icmp default-allow-rdp default INGRESS 65534 0.0.0.0/0 tcp:3389 default-allow-ssh default INGRESS 65534 0.0.0.0/0 tcp:22 firewall-with-sa default INGRESS 1000 tcp:10000 test1@google.com target@google.com
You can also run connectivity tests to/from VM instances in a VPC network to another VPC network or non-Google cloud network to troubleshoot if the traffic is getting dropped by any ingress or egress firewall rules. For more information on how to run the connectivity tests to troubleshoot various scenarios, see Running Connectivity Tests.
Is my firewall rule enabled or disabled?
To see if a firewall rule is enabled or disabled, view the firewall rules details.
In the Google Cloud Console, look for Enabled
or Disabled
under
Enforcement.
In the gcloud
command-line tool output, look for the disabled
field.
If it says disabled:false
, the rule is enabled and being enforced. If it
says disabled: true
, the rule is disabled.
Which rule is being applied on a VM instance?
Imagine that you add a new firewall rule to a VPC network, which allows traffic
to a database server at 10.1.2.3
over tcp:1433
. After you create the rule,
you can check to see if it's being applied correctly on a particular instance.
For more information, see Listing firewall rules for a network interface of a
VM instance.
In the following example, the console lists the database-access
rule in the
Egress analysis tab for this VM instance, meaning 10.1.2.3
egress traffic
to destination port 1433
is permitted. Other egress traffic in the
10.1.0.0/16
range is blocked due to the deny-database-subnet
firewall rule.

Firewall rules with source tags don't take effect immediately
Ingress firewall rules that use source tags can take time to propagate. For details, see the considerations that are related to source tags for ingress firewall rules.
What's next
- See the Firewall Rules Overview for an introduction to firewall rules