Remove default firewall rule from single Google Compute Engine

0
votes

There are 4 "default" firewall rules defined.

I want to disable particular one default-allow-ssh for only specific host.

For some reason I don't see tag default-allow-ssh in gcloud compute instances describe $VM:

tags:
  fingerprint: ioTF8nBLmIk=
  items:
  - allow-tcp-443
  - allow-tcp-80

I checked rule definition:

gcloud compute firewall-rules describe default-allow-ssh

allowed:
- IPProtocol: tcp
  ports:
  - '22'
description: Allow SSH from anywhere
direction: INGRESS
disabled: false
kind: compute#firewall
name: default-allow-ssh
network: https://www.googleapis.com/compute/v1/projects/.../global/networks/default
priority: 65534
selfLink: https://www.googleapis.com/compute/v1/projects/.../global/firewalls/default-allow-ssh
sourceRanges:
- 0.0.0.0/0

I see no targetTags or sourceTags in definition. Does that mean that rule is applied to entire project and can't be disabled per host?

1
google-cloud-platformgoogle-compute-enginefirewall

1 Answers

2
votes

I see no targetTags or sourceTags in definition. Does that mean that rule is applied to entire project and can't be disabled per host?

yes exactly, you can find more about the default firewall rules here

It's best practice to make this rule less permissive by the use of tags or source ips, however you could also make another rule that denies ssh traffic to that specific vms using a tag, maybe allowing ssh only from a bastion host.