When you configure Cloud VPN tunnels to connect your Google Cloud Platform network to an on-premises network, you should review and modify firewall rules in both networks to make sure that they meet your needs. This page provides guidance for configuring GCP firewall rules and your on-premises network firewall rules.
The implied allow egress rule allows instances and other resources in your GCP network to make outgoing requests and receive established responses, but the implied deny ingress rule blocks all incoming traffic to your GCP resources.
At minimum, you need to create firewall rules to allow ingress traffic from your on-premises network to GCP. You may also need to create egress rules if you have created other egress rules to deny certain types of traffic.
If you are not familiar with how firewall rules work in GCP, refer to the Firewalls Rules Overview first.
Project owners, editors, and IAM members with the Security Admin role can create and manage GCP firewall rules.
The following example creates a firewall rule that allows all incoming TCP, UDP, and ICMP traffic from your on-premises network to your GCP network.
- Go to the VPN tunnels page in the Google Cloud Platform Console.
Go to the VPN tunnels page
- Click the VPN tunnel that you want to use.
- In the VPN gateway section, click the name of VPC network. This directs you to the VPC network details page that contains the tunnel.
- Select the Firewall rules tab.
- Click Add firewall rule. Add a rule for TCP, UDP, and ICMP:
- Source filter: IP ranges.
- Source IP ranges: Remote Network IP Range value from when you created the tunnel. If you have more than one on-premises network range, enter each one. Press the Tab key between entries.
- Allowed protocols or ports:
tcp; udp; icmp
- Target tags: Any valid tag or tags.
- Click Create.
- Create other firewall rules if necessary.
Alternatively, you can create rules from the Firewall rules page in the GCP console.
- Go to the Firewall rules page page.
- Click Create firewall rule.
- Populate the following fields:
- VPC network:
- Source filter:
- Source IP ranges: The on-premises ranges to accept from the on-premises VPN gateway.
- Allowed protocols and ports:
- Click Create.
gcloud compute --project [PROJECT_ID] firewall-rules create vpnrule1 \ --network [NETWORK] \ --allow tcp,udp,icmp \ --source-ranges [PEER_SOURCE_RANGE]
If you have more than one on-premises network range, provide a comma-separated
list in the source-ranges field
gcloud firewall rules
documentation for more information about the
When configuring your on-premises firewall rules, consider the following:
- You should configure rules to allow egress and ingress traffic to and from the IP ranges used by the subnets in your GCP network.
- You may choose to permit all protocols and ports, or you may restrict traffic to only the necessary set of protocols and ports to meet your needs.
- You must allow
ICMPtraffic if you need to be able to communicate among on-premises systems and instances or resources in GCP using
- Remember that on-premise firewall rules can be implemented by both your network devices (for example, security appliances, firewall devices, switches, routers, and gateways) and in software running on your systems (such as firewall software included with an operating system). All firewalls “in the way” to GCP must be configured appropriately to allow traffic.
- If your VPN tunnel uses dynamic (BGP) routing, make sure that you allow BGP traffic for the link-local IP addresses. Refer to the next section for more details.
Considerations for dynamic routing
Dynamic (BGP) routing exchanges route information using TCP port 179. Some VPN
gateways allow this traffic automatically when you choose dynamic routing. If
your gateway does not, you must configure it to allow incoming and outgoing
traffic on TCP 179. All BGP IP addresses use the link-local
If your on-premises VPN gateway is not directly connected to the Internet, make sure that it and on-premises routers, firewalls, and security appliances are configured to at least pass BGP traffic (TCP port 179) and ICMP traffic to your VPN gateway. ICMP is not required, but is useful to test connectivity between a Cloud Router and your VPN gateway. The range of IP addresses to which your on-premises firewall rule should apply must include the BGP IP address of the Cloud Router and the BGP IP address of your gateway.
- Learn about the basic concepts of Cloud VPN
- Create a custom Virtual Private Cloud network
- Set up different types of Cloud VPN
- Maintain VPN tunnels and gateways
- See Advanced Configurations for information on high-availability, high-throughput scenarios, or multiple subnet scenarios.
- Get troubleshooting help