How to include firewall in VM instance creation by DeploymentManager in GCP

Question

my yaml template is as follows, I want to add firewall property to allow http traffic:

resources:

    - name: deployed-vm2222
      type: compute.v1.instance
      properties:
        zone: us-central1-f           
        machineType: https://www.googleapis.com/compute/v1/projects/myproject/zones/us-central1-f/machineTypes/f1-micro
        disks:
        - deviceName: boot
          type: PERSISTENT
          boot: true
          autoDelete: true

score 16 · Answer 1 · answered Feb 16 '19 at 19:37

In the firewall, we use:

targetTags: ["http"]

Then, in the instance, we use:

tags:
    items: ["http"]

The complete file can be as shown:

resources:
- name: default-allow-http
  type: compute.v1.firewall
  properties:
    targetTags: ["http"]
    sourceRanges: ["0.0.0.0/0"]
    allowed:
      - IPProtocol: TCP
        ports: ["80"]    
- name: vm-test
  type: compute.v1.instance
  properties:
    zone: xxxx
    machineType: xxxx
    tags:
        items: ["http"]
    disks:
    - deviceName: boot
      type: PERSISTENT
      boot: true
      autoDelete: true
      initializeParams:
        diskName: xxxx
        sourceImage: xxxx
    networkInterfaces:
    - network: xxxx
      accessConfigs:
      - name: External NAT
        type: ONE_TO_ONE_NAT

In addition to the `targetTags` as Patrick mentioned you should also add the `network` resource to the properties otherwise default network is used. See: https://cloud.google.com/compute/docs/reference/rest/v1/firewalls#Firewall.FIELDS.network — Tomor, Nov 12 '19 at 19:39
How do you create a Allow inbound HTTP traffic to tagged instances. I tried doing something like IPProtocol: HTTP. But that threw me this error Invalid value for field 'resource.allowed[0].IPProtocol': 'HTTP"' — Vijender Kumar, Feb 28 '20 at 05:37

Richard Rose · Answer 2 · 2019-12-23T09:26:18.627

A couple things to note when performing this action, make sure the instance is correctly tagged to enable the labelling to be applied. For example, tagging the instance, http-server or https-server ensure the firewall is aware it is processing public traffic.

Adding a firewall entry can be achieved in the following way.

resources:
  - name: instance
    type: xxxxxxxx
    properties:
      zone: us-east1-b
      tags:
        items: ["http-server", "tensorboard"]
  - name: default-allow-http
    type: compute.v1.firewall
    properties:
      network: https://www.googleapis.com/compute/v1/projects/myproject/global/networks/default
      targetTags: ["http-server"]
      sourceRanges: ["0.0.0.0/0"]
      allowed:
      - IPProtocol: TCP
        ports: ["80"]
  - name: default-allow-tensorboard
    type: compute.v1.firewall
    properties:
      network: https://www.googleapis.com/compute/v1/projects/myproject/global/networks/default
      targetTags: ["tensorboard"]
      sourceRanges: ["0.0.0.0/0"]
      allowed:
      - IPProtocol: TCP
        ports: ["6006"]

I got an error for using `tags: - http-server` : `message: '"/tags": domain: validation; keyword: type; message: instance does not match any allowed primitive type; allowed: ["object"]; found: "array"'` what does it mean? — Srichakradhar, Nov 25 '18 at 13:13
The tag definition has changed - updated example to reflect the correct usage of item/tags. — Richard Rose, Dec 23 '19 at 09:26

score 2 · Accepted Answer · answered Jun 02 '18 at 16:34

2

You can add a firewall rule in your template as follow:

- name: allow-http-fw
  type: compute.v1.firewall
  properties:
    allowed:
      - IPProtocol: TCP
        ports: 80
    sourceRanges: [ 0.0.0.0/0 ]

You can define the properties listed for the firewall resource.

answered Jun 02 '18 at 16:34

LundinCast

9,412
4
36
48

1

Ideally you should include a tag in the firewall rule (instead of applying to all) and assign the network tag to the instance (using the tags.items[] field) to make sure the firewall rule applies to the instance – Patrick W Jun 20 '18 at 23:53
In addition to the `targetTags` as Patrick mentioned you should also add the `network` resource to the properties otherwise default network is used. See: https://cloud.google.com/compute/docs/reference/rest/v1/firewalls#Firewall.FIELDS.network – Tomor Nov 12 '19 at 19:36

score 0 · Answer 4 · answered Aug 03 '19 at 03:36

0

@LundinCast is almost totally correct network: under properties is missing.

It would be the same value as under networkInterfaces:

answered Aug 03 '19 at 03:36

Ken Ingram

1,538
5
27
52

How to include firewall in VM instance creation by DeploymentManager in GCP

4 Answers4