GCP FireWall Rules for Workspot Deployments

Introduction

This document is focused on defining the firewall rules needed for a Workspot VPC in the Google Cloud. 

VPC firewall rules 

VPC firewall rules let you allow or deny connections to or from virtual machine instances (including Gateway, Cloud Desktops, management Server, etc.) in your VPC network. Enabled VPC firewall rules are always enforced, protecting your instances regardless of their configuration and operating system, even if they have not started. 

If you are looking for more detailed information on firewalls - https://cloud.google.com/firewall/docs/firewalls 

Steps to create new firewall rules: https://cloud.google.com/firewall/docs/using-firewalls#creating_firewall_rules 

Workspot Firewall Rules: 

To enable Workspot infrastructure in GCP to communicate, we must enable certain firewall rules. Few of them are mandatory and few others are optional. We list them down and the customers can choose as per their requirements. 

List of Firewall Rules used in a Workspot VPC: 

• Allow Outbound Traffic: To allow outbound traffic from the GCP instances to the internet. 

• Allow CyberArk to connect: To enable the RD Gateway Servers or the Jump servers from the CyberArk portal. 

• Allow GCP DNS Service: To allow a forwarding zone. 

• Allow GCP Metadata Service: To allow the communication to custom metadata.  

• Allow Internal Traffic:  To enable communication between VM instances within Subnet or VPC or peering VPC. 

• Allow SSH for Linux: To allow to connect Linux VMs over SSH port. 

• Allow RDP for Windows: To allow RDP ports for Windows VMs. 

• Allow Customer DNS: To allow communication with Customer’s DNS servers. 

• Allow internal ICMP: To allow ICMP between VMs 

• Allow Managed Gateway inbound: To allow secure network ports over the internet. 

Allow Outbound Traffic: 

This rule should be applied to allow outbound traffic from the GCP instances to the internet. 

Firewall Rule Settings: 

• Direction = Egress 

• Targets = All instances in the network. 

• Destination IPv4 ranges = 0.0.0.0/0 

• Protocol and Ports = Allow All 

Allow CyberArk Connection: 

CyberArk servers are deployed on AWS and their public Ips are 44.206.194.207 and 18.195.93.195. We enable RDP ports for these servers. 

Firewall Rule Settings: 

• Direction = Ingress 

• Targets = workspotrdg (Network tag applied for all Gateways) 

• Source Filter = IPv4 Ranges 

• Source IPv4 Ranges = 44.206.194.207, 18.195.93.195 

• Protocol and Ports = TCP 3389 

Allow Google Compute Engine Cloud DNS Service: 

In GCP, to define the DNS server address we can set up a Private DNS zone on the Cloud DNS service. Private DNS zone provides a simple-to-manage internal DNS solution for your private networks on GCP. If you are using a Forwarding Zone method, we must enable DNS ports on 35.199.192.0/0. 

For more information on this and how to create a Forwarding Private Zone: Create a forwarding zone| Cloud DNS |Google Cloud 

Firewall Rule Settings: 

• Direction = Ingress 

• Targets = All instances in the network 

• Source Filter = IPv4 Ranges 

• Source IPv4 Ranges = 35.199.192.0/0 

• Protocol and Ports = TCP 53, UDP 53 

Allow GCE Metadata Service: 

If you are setting Custom Metadata on your project, then you should open Firewall to allow traffic from your metadata server – 169.254.165.254 

To Set Project-wide Metadata - https://cloud.google.com/compute/docs/metadata/setting-custom-metadata#set-projectwide 

Firewall Rule Settings: 

• Direction = Ingress 

• Targets = All instances in the network 

• Source Filter = IPv4 Ranges 

• Source IPv4 Ranges = 169.254.169.254 

• Protocol and Ports = Allow All 

Allow intranet within VCP: 

If you wish to communicate between the VM instances in your Subnet, the complete VPC, or the peering VPC, we must enable a Firewall Rule for all the concerned IP address ranges. 

Firewall Rule Settings: 

• Direction = Ingress 

• Targets = All instances in the network 

• Source Filter = IPv4 Ranges 

• Source IPv4 Ranges = <CIDRs of the network/subnet at the other end> 

• Protocol and Ports = Allow All / or specify the ports you want to open 

Allow SSH access to Linux machines: 

If you have Linux machines in your VPC and wanted to connect to them directly on SSH 

Firewall Rule Settings: 

• Direction = Ingress 

• Targets = Linux <or any other network tag that you have attached to the Linux VMs> 

• Source Filter = IPv4 Ranges 

• Source IPv4 Ranges = <Public IP address of the destination/ your local machine> 

• Protocol and Ports = TCP 22 

Allow RDP access to Windows Machines: 

If you want to connect to some or all Windows VM directly on RDP – 

Firewall Rule Settings: 

• Direction = Ingress 

• Targets = rdp <or any other network tag that you have attached to the instances> 

• Source Filter = IPv4 Ranges 

• Source IPv4 Ranges = <Public IP address of the destination/ your local machine> 

• Protocol and Ports = TCP 3389 

Allow company DNS Service Communication: 

If you have an on-premises AD/DNS Server to which the GCP VM instances should be communicating.  

Firewall Rule Settings: 

• Direction = Ingress 

• Targets = All instances in the network 

• Source Filter = IPv4 Ranges 

• Source IPv4 Ranges = <CIDRs of the network/subnet at the other end or DNS server IP> 

• Protocol and Ports = Allow All / or specify the ports you want to open 

Allow ICMP communication between the instances: 

If you want to allow ICMP between the instances in the network -  

Firewall Rule Settings: 

• Direction = Ingress 

• Targets = All instances in the network 

• Source Filter = IPv4 Ranges 

• Source IPv4 Ranges = <CIDRs of the network/subnet > 

• Protocol and Ports = TCP 5986, UDP 5986, Other - ICMP 

Allow access to RD Gateway: 

This need not be created manually but will automatically get created when you deploy managed Gateways. This rule allows users to connect to the Workspot Environment via the RD Gateway server.