In today’s cloud-centric world, securing your virtual infrastructure is paramount. Google Cloud’s Virtual Private Cloud (VPC) offers a robust firewall system that acts as the first line of defense for your cloud resources. The VPC Firewall Rules mechanism is integral to the Cloud Next Generation Firewall (NGFW) Essentials package, providing foundational security services to manage and control network traffic effectively.

VPC Firewall Rule Components

A VPC firewall rule is composed of several critical components that define its behavior:

• Direction: Specifies whether the rule applies to incoming (ingress) or outgoing (egress) traffic
• Priority: A numerical value (0-65535) that determines the rule’s precedence; lower numbers mean higher priority
• Action: Either allow or deny, indicating whether matching traffic is permitted or blocked
• Enforcement Status: Rules can be enabled or disabled without deletion
• Target: Defines which instances the rule applies to, including GKE clusters and App Engine instances
• Source or Destination Filters: IP ranges or tags specifying where traffic originates or is destined
• Protocols and Ports: Specifies the allowed or denied protocols (TCP, UDP, ICMP, ICMPv6) and destination ports
• Logging Option: Enables logging of matching traffic for monitoring and auditing purposes

These components provide granular control over network traffic, enabling you to tailor security policies precisely to your needs.

Default Rules: Pre-populated vs Implied

Google Cloud VPC networks come with two types of default firewall rules:

• Pre-populated Rules: These are visible in the Google Cloud Console and can be modified or deleted. By default, the default network includes rules that allow SSH, RDP, and ICMP traffic
• Implied Rules: These are built-in rules that are not shown in the console but always apply. Every VPC network has two implied IPv4 rules:
  • An allow egress rule permitting all outbound traffic to any destination (0.0.0.0/0) with the lowest priority
  • A deny ingress rule blocking all inbound traffic from any source (0.0.0.0/0) with the lowest priority

These implied rules establish a secure baseline by blocking unsolicited inbound traffic while allowing outbound connections unless explicitly restricted by higher-priority rules.

Firewall Rule Exceptions

Despite the firewall rules you configure, Google Cloud enforces certain exceptions:

• Some traffic is always allowed, such as communication between VM instances and the Google Cloud metadata server at 169.254.169.254
• Certain types of traffic are blocked or limited by Google Cloud for security and operational reasons
• Firewall rules cannot override these enforced exceptions, ensuring critical infrastructure communication and platform security remain intact

Relevant Training

Check out our Secure Google Cloud Networking video series to learn more about VPC Firewall Rules and their implementation in Google Cloud.

—

VPC Firewall Rules are a fundamental part of securing your Google Cloud environment, providing stateful, network-level control over traffic to and from your VM instances, helping you implement best practices such as least-privilege access and granular traffic filtering.

By understanding the components of firewall rules, the role of default and implied rules, and the exceptions enforced by Google Cloud, you can design robust firewall policies that protect your workloads while maintaining necessary connectivity.