Introduction
This document is focused on defining the firewall rules needed for a Workspot VPC (virtual private cloud) within the Google Cloud.
VPC Firewall Rules in General
VPC firewall rules let you allow or deny connections to or from virtual machine instances (including Gateway, Cloud Desktops, management Server, etc.) in your VPC network. Enabled VPC firewall rules are always enforced, protecting your instances regardless of their configuration and operating system, even if they have not started.
If you are looking for more detailed information on GCP firewalls - https://cloud.google.com/firewall/docs/firewalls
Steps to create new GCP firewall rules: https://cloud.google.com/firewall/docs/using-firewalls#creating_firewall_rules
Workspot Firewall Rules
To enable Workspot infrastructure in GCP to communicate, we must enable specific firewall rules. Some of them are mandatory and others are optional. We list them down and the customers can choose as per their requirements.
List of Firewall Rules used in a Workspot VPC:
Allow Outbound Traffic: To allow outbound traffic from the GCP instances to the internet.
Allow CyberArk to connect: (Elite customers only) To enable the RD Gateway Servers or the Jump servers from the CyberArk portal.
Allow GCP DNS Service: To allow a forwarding zone.
Allow GCP Metadata Service: To allow the communication to custom metadata.
Allow Internal Traffic: To enable communication between VM instances within Subnet or VPC or peering VPC.
Allow SSH for Linux: To allow to Linux VMs over SSH port.
Allow RDP for Windows: To allow RDP ports for Windows VMs.
Allow Customer DNS: To allow communication with Customer’s DNS servers.
Allow internal ICMP: To allow ICMP between VMs
Allow Managed Gateway inbound: To allow secure network ports over the internet.
Allow Outbound Traffic
This rule should be applied to allow outbound traffic from the GCP instances to the internet.
Firewall Rule Settings:
Direction = Egress
Targets = All instances in the network.
Destination IPv4 ranges = 0.0.0.0/0
Protocol and Ports = Allow All
Allow CyberArk Connection
Note: This applies to customers with legacy Elite subscriptions only. (Most customers have Enterprise/Enterprise Plus subscriptions).
CyberArk servers are deployed on AWS and their public IPs are 44.206.194.207 and 18.195.93.195. We enable RDP ports for these servers.
Firewall Rule Settings:
Direction = Ingress
Targets = workspotrdg (Network tag applied for all Gateways)
Source Filter = IPv4 Ranges
Source IPv4 Ranges = 44.206.194.207, 18.195.93.195
Protocol and Ports = TCP 3389
Allow Google Compute Engine Cloud DNS Service
In GCP, to define the DNS server address, we can set up a Private DNS zone on the Cloud DNS service. Private DNS zone provides a simple-to-manage internal DNS solution for your private networks on GCP. If you are using a Forwarding Zone method, we must enable DNS ports on 35.199.192.0/0.
For more information on this and how to create a Forwarding Private Zone: Create a forwarding zone| Cloud DNS |Google Cloud
Firewall Rule Settings:
Direction = Ingress
Targets = All instances in the network
Source Filter = IPv4 Ranges
Source IPv4 Ranges = 35.199.192.0/0
Protocol and Ports = TCP 53, UDP 53
Allow GCE Metadata Service
If you are setting Custom Metadata on your project, then you should open Firewall to allow traffic from your metadata server – 169.254.165.254
To Set Project-wide Metadata - https://cloud.google.com/compute/docs/metadata/setting-custom-metadata#set-projectwide
Firewall Rule Settings:
Direction = Ingress
Targets = All instances in the network
Source Filter = IPv4 Ranges
Source IPv4 Ranges = 169.254.169.254
Protocol and Ports = Allow All
Allow intranet within VCP
If you wish to communicate between the VM instances in your Subnet, the complete VPC, or the peering VPC, we must enable a Firewall Rule for all the concerned IP address ranges.
Firewall Rule Settings:
Direction = Ingress
Targets = All instances in the network
Source Filter = IPv4 Ranges
Source IPv4 Ranges = <CIDRs of the network/subnet at the other end>
Protocol and Ports = Allow All / or specify the ports you want to open
Allow SSH access to Linux machines
If you have Linux machines in your VPC and wanted to connect to them directly on SSH
Firewall Rule Settings:
Direction = Ingress
Targets = Linux <or any other network tag that you have attached to the Linux VMs>
Source Filter = IPv4 Ranges
Source IPv4 Ranges = <Public IP address of the destination/ your local machine>
Protocol and Ports = TCP 22
Allow RDP access to Windows Machines
Firewall settings if you want to connect to some or all Windows VMs directly on RDP:
Direction = Ingress
Targets = rdp <or any other network tag that you have attached to the instances>
Source Filter = IPv4 Ranges
Source IPv4 Ranges = <Public IP address of the destination/ your local machine>
Protocol and Ports = TCP 3389
Allow company DNS Service Communication
If you have an on-premises AD/DNS Server to which the GCP VM instances should be communicating.
Firewall Rule Settings:
Direction = Ingress
Targets = All instances in the network
Source Filter = IPv4 Ranges
Source IPv4 Ranges = <CIDRs of the network/subnet at the other end or DNS server IP>
Protocol and Ports = Allow All / or specify the ports you want to open
Allow ICMP Communication Between the Instances
If you want to allow ICMP between the instances in the network -
Firewall Rule Settings:
Direction = Ingress
Targets = All instances in the network
Source Filter = IPv4 Ranges
Source IPv4 Ranges = <CIDRs of the network/subnet >
Protocol and Ports = TCP 5986, UDP 5986, Other - ICMP
Allow Access to RD Gateway
This need not be created manually but will automatically be created when you deploy managed Gateways. This rule allows users to connect to the Workspot Environment via the RD Gateway server.
