Create firewall rules

Use the firewall-rules module to create custom firewall rules for your existing VPC networks.

This module lets you define specific ingress traffic policies and egress traffic policies. By using these policies, you can help secure your infrastructure by checking that only authorized connections reach your virtual machine (VM) instances. You can use this module with other Cluster Toolkit modules to construct app-specific security perimeters, or you can combine it with the pre-existing-vpc module to authorize traffic for pre-existing networks.

For the complete list of inputs and outputs for this module, see the firewall-rules module page in the Cluster Toolkit GitHub repository.

Before you begin

Before you begin, verify that you meet the following requirements:

  • You've installed and configured Cluster Toolkit. For installation instructions, see Set up Cluster Toolkit.
  • You have an existing cluster blueprint. You can use and modify an existing blueprint or create one from scratch. For a working example of a blueprint configured for the firewall-rules module, see the examples/gke-a4/gke-a4.yaml file. For more information about creating and customizing blueprints, see Cluster blueprint.
  • To view a complete list of blueprints, go to the Cluster blueprint catalog page.
  • The firewall-rules module doesn't create a continuous long-running workload or a full cluster. It creates firewall rules for your VPC network to control traffic between cluster components.

Required roles

To get the permissions that you need to create firewall rules, ask your administrator to grant you the Compute Network Admin (roles/compute.networkAdmin) IAM role on your project. For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Define firewall rules

To help secure your network, you must specify the exact ports, protocols, and IP address ranges that your deployment requires.

The following example from the ml-slurm.yaml file on GitHub shows how to define ingress rules. This configuration assumes that the default VPC network requires internal traffic access and Identity-Aware Proxy tunneling for Secure Shell (SSH) connections.

- group: primary
  modules:
  - id: network
    source: modules/network/pre-existing-vpc

  # This example assumes that the default network requires internal traffic
  # access and IAP tunneling for SSH connections
  - id: firewall_rule
    source: modules/network/firewall-rules
    use:
    - network
    settings:
      ingress_rules:
      - name: $(vars.deployment_name)-allow-internal-traffic
        description: Allow internal traffic
        destination_ranges:
        - $(network.subnetwork_address)
        source_ranges:
        - $(network.subnetwork_address)
        allow:
        - protocol: tcp
          ports:
          - 0-65535
        - protocol: udp
          ports:
          - 0-65535
        - protocol: icmp
      - name: $(vars.deployment_name)-allow-iap-ssh
        description: Allow IAP-tunneled SSH connections
        destination_ranges:
        - $(network.subnetwork_address)
        source_ranges:
        - 35.235.240.0/20
        allow:
        - protocol: tcp
          ports:
          - 22

What's next

  • For the complete list of inputs and outputs for this module, see the firewall-rules module page in the Cluster Toolkit GitHub repository.