Reduce Security Risk with Google Cloud Allow List Firewall

Reduce Security Risk with Google Cloud Allow List Firewall

Published on Jun 05, 2020 by Stanley Zheng

Networking on Google Cloud is very straight forward compared to other cloud providers we’ve used. To improve UX, new gcp projects come with a default network that allows permissive ingress rules such as 0.0.0.0/32 with the white list of common ports such as 80/443/25/. A simple way to improve a projects network security is by defining your own subnetwork with stricter rules and deleting the default network.

After you’ve created your new virtual private network topology, your network becomes more locked down. So locked down that even Google services such as Google Cloud Shell are unable to communicate with your machines in the subnetworks.

Here is a simple way to keep strict firewall rules while allowing communication with Google Services. Below is a script that is buried on the Google Compute FAQ page, detailing known Google IPs. These known Google service IPs can be generated and with some bash magic be serialized into a IP allow-list / white-list.

Try out the generator below and stay secure!

https://gist.github.com/stzhng/4239efa93fa5706966825af2c69f4956