Wondering how to Configure Firewall Rules in GCP? We can help you.

Google Cloud Platform (GCP) firewall rules let you allow or deny traffic to and from your virtual machine (VM) instances based on a configuration you specify.

As a part of our Server Management Services, we assist our customers with several firewall queries.

Today, let’s see how our Support Engineers configure firewall.

How to configuring Firewall Rules in GCP?

By creating a firewall rule, you specify a Virtual Private Cloud (VPC) network and a set of components that define what rule does.

Today, let us see steps followed by our Support Techs to configure firewall.

Conditions that require firewall ingress rule configuration

First and foremost, we need to create a firewall ingress rule to enable traffic from Filestore instances to your clients in following conditions.

• If you are using NFS file locking in the applications accessing Filestore instance.
• The VPC network you are using has firewall rules that block TCP port 111 or the ports used by  statd or nlockmgr daemons. To determine what ports the statd and nlockmgr daemons use on the client, check current port settings.
• If the statd and nlockmgr ports aren’t set, and you think you might need to configure firewall rules at any point, recommend setting those ports consistently on all client VM instances.

Conditions that require firewall egress rule configuration

If the VPC network has a firewall egress rule that blocks traffic to TCP ports 111, 2046, 2049, 2050, or 4045, and targets the IP address ranges used by your Filestore instances.

Then, you need to create a firewall egress rule to enable traffic from your clients to your Filestore instances.

You can get the reserved IP address range for any Filestore instance from the Filestore instances page or by running gcloud filestore instances describe.

Creating a firewall ingress rule

Steps to create firewall rule to enable traffic from Filestore instances.

1.Firstly, check current port settings to determine what ports the statd and nlockmgr daemons use on the client.

2.Then, go to the Firewall page in Google Cloud Console.

3.Next, click Create firewall rule.

4.Enter a Name for the firewall rule.

This name must unique for the project.

5.Specify the Network in which you want to implement the firewall rule.

6.Specify the Priority of the rule.

If this rule will not conflict with any other rules, you can leave the default of 1000.

If there is another ingress rule that targets the same IP address range, protocols, and ports, and also has a value of Deny for the Action on match field.

Then set the priority of the new ingress rule to a lower value than that of existing ingress rule, so that Google Cloud will apply it.

7.Next, choose Ingress for Direction of traffic.

8.Then, choose Allow for Action on match.

9.For Targets, take one of the following actions:

• If you want to allow traffic to all clients in the network from Filestore instances, choose All instances in the network .
• If you want to allow traffic to specific clients from Filestore instances, choose Specified target tags.

10.Leave the default value of IP ranges for Source filter.

11.For Source IP ranges, type the IP address ranges of the Filestore instances you want to allow access from.

You can enter the internal IP address ranges that you are using with your Filestore instances to enable all Filestore traffic.

Or you can enter the IP addresses of specific Filestore instances.

You must use CIDR notation.

12.Then, leave default value of None for Second source filter.

13.For Protocols and ports, choose Specified protocols and ports and then:

• Select the tcp check box and enter 111,STATDOPTS,nlm_tcpport in the associated field, where:

STATDOPTS is port used by the statd daemon on client.
nlm_tcpport is tcp port used by the nlockmgr daemon on client.

• Select the udp check box and enter the value of nlm_udpport, which is the udp port used by nlockmgr.

14.Finally, choose create.

Creating a firewall egress rule

Steps followed by support Techs to create a firewall rule to enable traffic to Filestore instances.

1.Firstly, go to the Firewall page in the Google Cloud Console.

2.Then, click Create firewall rule.

3.Then, enter a Name for the firewall rule. This name must unique for the project.

4.Specify the Network in which you want to implement the firewall rule.

5.Specify the Priority of the rule.

If this rule will not conflict with any other rules, you can leave the default of 1000.

If there is another egress rule that targets the same IP address range, protocols, and ports, and also has a value of Deny for the Action on match field.

Then set the priority of the new egress rule to a lower value than that of the existing egress rule, so that Google Cloud will apply it.

6.Then, choose Egress for Direction of traffic.

7.Next, choose Allow for Action on match.

8.For Targets, take one of the following actions:

If you want to allow traffic from all clients in the network to Filestore instances, choose All instances in the network .

If you want to allow traffic from specific clients to Filestore instances, choose Specified target tags. Type the instance names of the clients in Target tags.

9.For Destination IP ranges, type the IP address ranges of the Filestore instances you want to allow access to.

You can enter the internal IP address ranges that you are using with your Filestore instances to enable traffic to all Filestore instances, or you can enter the IP addresses of specific Filestore instances.

You must use CIDR notation.

10.For Protocols and ports, choose Specified protocols and ports.

Then select the tcp check box and enter 111,2046,2049,2050,4045 in the associated field.

11. Finally, choose Create.

[Stuck with any of the firewall query? We’d be happy to help you]

Conclusion

In short, today we saw how our Support Techs configured Firewall Rules in GCP.