3

I am using Terraform templates to provision a Google Cloud Dataproc cluster. After that, I'm creating firewall rules to restrict ingress traffic to those compute engine instances.

I'm looking for a way to automatically create firewall rules along with the dataproc cluster. There does not seem to be a straightforward way as I have to mention the IPs in the firewall rules, which can be obtained only by looking at the created cluster.

Another way I was thinking is to create a VPC with security and create the dataproc cluster within that VPC.

Can anyone provide any expert advise on this?

Kuwali
  • 233
  • 3
  • 13

1 Answers1

2

In addition to filtering by IPs, GCP firewall rules support filtering by tags 1 or service accounts 2. When creating a Dataproc cluster, you can add tags for the cluster VMs with --tags 3, or specify the service account used by the cluster VMs with --service-account 4, so they can be matched by the firewall rules to target the cluster VMs.

Note the implications between filtering by tags and filtering by services accounts in firewall rules. Simply put, the former is simpler, while the latter is more secure.

Dagang
  • 24,586
  • 26
  • 88
  • 133