Reputation: 35
In GCP, how to create firewall rules to isolate subnets by their IP ranges?
We are using a shared VPC with two subnets (10.65.0.0/16 and 10.66.0.0/16). The shared VPC has connection to on-prem network, so both two subnets can access the resource hosted on on-prem. Since we use one subnet for DEV environment, and the other one for PROD environment, we want to block all traffic between those two subnets. I don't want to manage those firewall rules by using tags or service accounts of each instance hosting on those subnets, since the owner of all projects hosting in those two subnets may not always following the rules, and cause extra communications to clarify. Ideally, I want to create some firewall rules to block the traffic just using those two IP ranges of subnets. To isolate subnets between each other, I need to create a "deny" firewall rule with source "10.65.0.0/16" and distinction "10.66.0.0/16", and another one with source "10.66.0.0/16" and distinction "10.65.0.0/16". For what I saw, in both egress and ingress firewalls, it's only allowed to set IP ranges on either source or distinction, but cannot be both. It looks there is no way to set both source and distinction in a single firewall using CIDR.
I know using peered network can easily cut the traffic between VPCs/subnets. But there is limitation in VPC, that the routing between 2+ layers of peering are terrible, and resources managed by google already involved a layer of peering, so if possible I don't want to involve another layer of peered network. If there are no better ideas, I probably have to use either Tags or Service accounts to create firewalls one by one.
Please share your ideas, or any other way to resolve my problem.
Thank you
Upvotes: 0
Views: 1383
Answers (1)
Reputation: 35
Consulted Google tech support for this question. Their suggestion is no surprise. It can not be done by setting source IP CIDR and distinction CIDR. Their suggestion is using "Tags" + "resource IP ranges".
e.g. - allow all [ingress], Targets tags: vmGroup-1, Source IPv4 : CIDR of vmGroup-1
Basically, going through this way instead of create "deny" firewalls caused by one advantage of VPC, and one limitation of VPC. The advantage is: The advantage is: In VPC the traffic is blocked between any instances naturally, even they are in the same subnet, firewalls are created in VPC but working on each instance individually, it's like each instance has its own firewall. The limitation is: so far, VPC don't allow firewall be created with both source and distinction IP ranges be defined.
Upvotes: 1
Related Questions
- GCP: How can I create multiple subnets with the same address range in one VPC?
- Terraform/GCP, how to create a firewall rule to deny all traffic without specify IP ranges?
- GCP Create Firewall Rule to Deny All Outside the U.S.?
- Multiple subnets in a GCP network
- How to create Private and Public subnets in GCP?
- GCP VM has firewall to allow /24 but some IPs get rejected
- Shared VPC - Only share a specific subnet to a project
- VPC Network on GCP
- Google Compute Engine Firewall Rule To Restrict Traffic O Certain Ports To Specific IP Addresses
- Blocking traffic from specific subnets in GCE firewall