Firewall rules in GCP let you allow or deny traffic based on rules you apply to your instances. Firewall rules are applied at a networking level with every VPC network acting as a distributed firewall. Even though firewall rules are applied at a networking level, they allow/deny connections at an instance level. The advantage of a distributed firewall is that it does not only filter traffic between instances but also filters traffic between networks. All firewall rules are specific to a VPC network with each rule either allowing or denying traffic.

Firewall rules, being unique to a VPC network, cannot be shared between multiple VPC networks. It is important to note that firewall rules in GCP only support IPv4 traffic. There is also no logging mechanism for firewall rules; this means that you cannot log an Allow or a Deny action in the firewall. The GCP firewall allows bidirectional traffic once a session is established, meaning that GCP firewall rules are stateful. By default, every VPC network has an implied egress rule and an implied deny ingress rule. The egress rule ensures all outbound traffic while the ingress rule protects all instances by blocking incoming traffic to them. These two default rules cannot be removed and have the lowest priority value of 65535.

There are other rules that are in place for the default network. These rules allow incoming traffic to instances. Some of these rules are default-allow-internal, default-allow-ssh, default-allow-rdp, and default-allow-icmp. GCP also permanently blocks some of the traffic types. These permanently blocked rules cannot be removed. Some of the blocked traffic types include GRE traffic and protocols other than TCP, UDP, ICMP, and IPIP. The rules also permanently block egress traffic on TCP port 25 and egress traffic on TCP port 465 or 587.

Each firewall rule has a numerical priority that is used to determine whether the rule will be applied. The highest priority rule that matches the traffic is applied. The direction of traffic component of a rule describes whether the traffic is ingress or egress. The action or match component will determine whether to permit or deny traffic. The target component defines the instance to which the rule will apply. A source or a destination for ingress and egress rules. The components also include protocol and port. There is an enforcement status component as well that allows you to enable or disable the firewall rule without having to delete it.

The GCP firewall also has the ability to limit the source and target to GCP resources by using an IAM service account. Such a rule will apply to any new instances created by this service account and also existing instances if you updated their service account associations. Only one service account can be associated with an instance.

Let's check out what this looks like in the GCP portal.

Click on Firewall rules to enable rules to control incoming and outgoing traffic to an instance. Firewall rules are applied to all subnets on a network: