Virtual private clouds in the Google Cloud Platform allow even complex network infrastructures to be created quickly and easily. But as any IT manager will confirm, fast does not always mean right – and that is a problem in the cloud, especially when it comes to security. In this workshop, we will therefore show you which on-board tools ensure security. The second part deals with the difference between Firewall Essentials and Standard. We will also show how virtual machines can securely access the internet with Cloud NAT.
Firewall Essentials and Firewall Standard
In autumn 2022, Google made a series of announcements regarding network security at its in-house exhibition Google Next – these include the new products ‘Cloud Firewall Essentials’ and ‘Cloud Firewall Standard’. These comprise and supplement the previous VPC firewall rules.
An interesting additional feature is tag integration. However, these tags are not the network tags described above, which are used in VPC firewall rules, but resource manager tags. These have the advantage that you can authorise them via IAM. For example, it is possible to create a tag with the key ‘vm-function’ and create a list of possible values such as “database”, ‘app-client’ or ‘app-server’. You then assign permissions to these tags. For example, database administrators could be assigned the role ‘Tag User’ for the tag with the value ‘database’. This allows the relevant administrator to start a VM with the tag and allow database traffic.
By default, firewall rules are ‘stateful’, which means that if the connection is open in one direction, return network traffic is automatically allowed. For troubleshooting purposes, it is interesting to know whether this return network traffic arrives and whether it can also be analysed. This is generally possible with the firewall logs. New are address groups, which help if you have a number of hosts, IP addresses or entire network ranges in frequent use. In this case, you should avoid having to keep these elements up to date in every rule if a change occurs. With address groups, it is possible to maintain the groups once and reference them in firewall rules.
Some of the features mentioned are not included in Cloud Firewall Standard, so additional costs may apply. This is the case, for example, when using the Threat Intelligence module, which allows you to block traffic based on various categories. These include known malicious IP addresses and domains. Furthermore, there is now extended protection with FQDN objects. These enable dynamic updating of firewall rules, even if the underlying IP addresses change. It is now also possible to integrate location determination for firewall rules. This allows you to manage network traffic based on its country of origin. Until now, such a feature was only integrated in a web application firewall.
Secure Internet access with Cloud NAT
If a virtual machine needs access to the Internet, you must (in the simplest form) set up a number of elements and database traffic. First, configure a route to the Internet gateway. You can do this by setting a route to the CIDR range ‘0.0.0.0/0’ with ‘Next Hop Internet Gateway’. Then you need to assign an external IP address to the virtual machine.
This configuration makes virtual machines directly accessible on the internet, which is not always desirable for security reasons. If you allow outgoing internet access, you need to use NAT. You can either configure this yourself or use the ‘Cloud NAT’ service. Cloud NAT provides internet connectivity for the following services:
- Compute Engine
- Private Google Kubernetes Engine (GKE) clusters
- Cloud Run via Serverless VPC Access
- Cloud Function via Serverless VPC Access
- App Engine via Serverless VPC Access
Cloud NAT is a managed service and, as such, offers high availability of at least 99.9 percent. It is also regionally resilient against the failure of a zone. Figure 3 shows the use of Cloud NAT in a global setup with the two regions ‘us-east1’ and ‘europe-west1’. One Cloud NAT instance is set up per region and VPC. Such an instance can provide Internet connectivity for the entire VPC (as shown in the image on the right) or only for individual subnets (Subnet1 in the us-east1 region).
Figure 3: The architecture of Cloud NAT allows VMs to communicate with the Internet.
To set up Cloud NAT, you must perform the following steps: First, switch to the ‘Network services / Cloud NAT’ page in the “Networking” area in the menu on the left. If you are creating a Cloud NAT instance for the first time in the project, click on the ‘Get Started’ link. Once the wizard has started, assign a name to your instance.
Figure 4: When creating a Cloud NAT instance, ‘secondary ranges’ allow you to assign multiple IP addresses to a VM.
Next, select the VPC to which Cloud NAT should connect. Now configure a region and then specify the Cloud Router to be used. Cloud NAT integrates with the Cloud Router to publish routes through it. Finally, define which subnets will benefit from the NAT router. This can be individual subnets or the entire VPC. You can also specify which secondary ranges are allowed to use Cloud NAT. Secondary ranges are used, for example, when a VM occupies multiple IP addresses – examples include VMs with Docker or Kubernetes clusters, where each pod receives an IP address from the VPC.
Accessing the Internet with VMs
With Cloud NAT, you can dispense with public IP addresses for Internet access. If you only need to access Google services, you can also dispense with Cloud NAT. Although many Google services have public IP addresses, Google provides a technology called ‘Private Google Access’ to access them directly from a VPC. All you need are the appropriate DNS entries and routing.
Specifically, there are DNS domains for which you must set up private zones. Most Google APIs end with the domain ‘googleapis.com’. Accordingly, you can create a zone for ‘googleapis.com’ in ‘Cloud DNS’. In the zone, you then set up an A record for the IP addresses ‘199.36.153.8’, ‘199.36.153.9’, ‘199.36.153.10’ and ‘199.36.153.11’.
You also need a CNAME record for ‘*.googleapis.com’ that points to the A record you created. Now all that’s missing is the routing. To do this, go to the VPC administration page, switch to the ‘Routing’ tab and add a route with the destination ‘0.0. 0.0/0’, whose next hop is the default internet gateway.
