Establishing Firewall Rules
The firewall rules configured here will apply to all the subnets of the VPC, allowing or denying incoming or outgoing traffic, depending on your needs. For more information about rules see Use VPC firewall rules.
The command to create a rule is:
gcloud compute firewall-rules create <Rule_Name> -- --description="<Description>" --direction=INGRESS --priority=<PRIORITY> --network=<VPC_NETWORK_NAME> --action=ALLOW --rules=<PROTOCOL:PORT> --source-ranges=<SOURCE_IP_RANGE> --destination-ranges=<DESTINATION_IP_RANGE>
Where:
<Rule_Name>
is the name of the firewall rule to be created
<DESCRIPTION>
is an optional description of the rule
--direction
can be either INGRESS, EGRESS, IN or OUT. If it's not specified, the default is to apply to incoming traffic only.
<PRIORITY>
with an assumed value assumed of 1000 when not specified, it can be set as an integer between 0 and 65535.
<VPC_NETWORK_NAME>
is the network to which this rule is attached
--action
is either ALLOW or DENY the matching traffic. This is the action to be accomplished by the firewall rule
<PROTOCOL:PORT>
is a list of protocols and ports which traffic will be controlled by the firewall rule
<SOURCE_IP_RANGE>
is a list of IP address blocks allowed to make inbound connections to the instances on the network
(as long as they match the firewall rule)
<DESTINATION_IP_RANGE>
for traffic that has destination IP addresses listed here, the firewall rule will be applied
Management Subnet Setup: SSH and HTTP/HTTPS ports
The Management Subnet requires an SSH port open to the IP address ranges your deployment allows.
In the following example the SSH port is being open to all IP addresses (with the --source-ranges
argument).
#Open SSH ports from the Internet to Management Subnet gcloud compute --project=security-arcsight-nonprod firewall-rules create bastion-ssh --description="Allows SSH communication to the Management Subnet" --direction=INGRESS --priority=1010 --network=gcp-arcsight-test --action=ALLOW --rules=tcp:22 --source-ranges=0.0.0.0/0 --destination-ranges=10.49.0.0/24
Using instead a list of comma separated IP ranges would limit the number of IP addresses allowed to make inbound connections, as in the next example:
#Open SSH ports from specific IPs to Management Subnet gcloud compute --project=security-arcsight-nonprod firewall-rules create bastion-ssh --description="Allows SSH communication to the Management Subnet" --direction=INGRESS --priority=1010 --network=gcp-arcsight-test --action=ALLOW --rules=22 --source-ranges=1.1.1.1/32,2.2.2.0/24 --destination-ranges=10.49.0.0/24
While working from the bastion you will need to connect to various resources on the internet. Protocols and description for ports are shown in the following table
Port | Protocol | Allowed CIDR | Description |
---|---|---|---|
80 | TCP | 0.0.0.0/0
|
HTTP |
443 | TCP | 0.0.0.0/0
|
HTTPS |
In the following example HTTP and HTTPS ports are open for the Management Subnet:
#Open HTTP and HTTPS ports from Management Subnet to the Internet gcloud compute --project=security-arcsight-nonprod firewall-rules create bastion --description="Allows access from the Management Subnet to internet on HTTP and HTTPS ports" --direction=EGRESS --priority=2000 --network=gcp-arcsight-test --action=ALLOW --rules=tcp:80,tcp:443 --source-ranges=10.49.0.0/24 --destination-ranges=0.0.0.0/0
Private Subnet Setup: own ports, SSH and HTTP/HTTPS ports
The Private Subnet requires rules to communicate with: its own ports, the Management Subnet (through SSH) and internet resources (HTTP/HTTPS).
Communicating between all nodes on the private subnet requires an ingress rule enabling all communication coming from the same IP range (--source-ranges
and --destination-ranges
). For example:
#Open ports from and to Private Subnet to Private Subnet gcloud compute --project=security-arcsight-nonprod firewall-rules create private-to-private-ingress --description="Allows communication on all ports between nodes within Private Subnets" --direction=INGRESS --priority=1010 --network=gcp-arcsight-test --action=ALLOW --rules=all --source-ranges=10.1.0.0/24 --destination-ranges=10.1.0.0/24
In the following example the SSH port is being open to allow communication between the Management Subnet and the Private Subnet:
#Open SSH ports from Management Subnet to the Private Subnet gcloud compute --project=security-arcsight-nonprod firewall-rules create bastion-ssh --description="Allows SSH communication to the Management Subnet" --direction=INGRESS --priority=1010 --network=gcp-arcsight-test --action=ALLOW --rules=tcp:22 --source-ranges=10.49.0.0/24 --destination-ranges=10.1.0.0/24
For retrieving external resources (such as for product images from the ECR, OS updates, OMT, and similar files), internal resources (those inside the private subnet) need to be able to connect to the internet using HTTP/HTTPS. For example:
#Open HTTP and HTTPS ports from Private Subnet to the Internet gcloud compute --project=security-arcsight-nonprod firewall-rules create arcsight-suite-private-private-egress --description="Allows access from the Private Subnets to internet on HTTP and HTTPS ports" --direction=EGRESS --priority=2010 --network=gcp-arcsight-test --action=ALLOW --rules=tcp:80,tcp:443 --source-ranges=10.1.0.0/24 --destination-ranges=0.0.0.0/0
Block all other communication attempts
An explicit deny rule to block all non-allowed communication must be created for both subnets, as in the example below:
#Creates an explicit rule that denies all non allowed inbound communication to the Management and Private subnet gcloud compute --project=security-arcsight-nonprod firewall-rules create deny-all-ingress --description="Deny all non allow ingress communication to the Private and Management network" --direction=INGRESS --priority=65535 --network=gcp-arcsight-test --action=DENY --rules=all --source-ranges=0.0.0.0/0 --destination-ranges=10.1.0.0/24,10.49.0.0/24