You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
GCP VPC firewall rules are the primary mechanism for controlling network traffic to and from your instances. They act as a distributed, stateful firewall evaluated at the instance level — not at a subnet boundary. Understanding how rules are structured, evaluated, and targeted is essential for building secure GCP environments.
Firewall rules are defined at the VPC network level and enforced on every instance in that VPC. Each rule either allows or denies traffic based on:
Every VPC has two implied rules that cannot be deleted:
| Rule | Priority | Action | Description |
|---|---|---|---|
| Allow all egress | 65535 | Allow | Permits all outbound traffic |
| Deny all ingress | 65535 | Deny | Blocks all inbound traffic |
These ensure a secure-by-default posture: nothing can reach your instances unless you explicitly allow it.
Rules are evaluated per packet and the first matching rule (lowest priority number) wins. If no user-defined rule matches, the implied rules apply.
Example evaluation for an incoming SSH packet:
10.0.0.0/8 — target: tag allow-ssh — Match if instance has the tag and source is in range.0.0.0.0/0 — target: all instances — Evaluated only if rule 100 did not match.Network tags are strings attached to instances. Firewall rules can target instances by tag, enabling role-based access control:
# Create a firewall rule targeting instances with tag "web-server"
gcloud compute firewall-rules create allow-http \
--network=my-vpc \
--allow=tcp:80,tcp:443 \
--target-tags=web-server \
--source-ranges=0.0.0.0/0 \
--priority=1000
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.