Solved: Re: Firewall Rules: Can I use "domains", not "IPv4...

tristens · 12-07-2023 04:15 AM

Hello everyone,

I'm currently trying to allow my VM (within my subnet/VPC) to reach out to two specific/public domains addresses (endpoints) over port 3128. However, I can only add IPv4 addresses in the "destination" filter, when creating the firewall rule.

The problem is.....those endpoints might change from time to time..... how do I account for this?

Marvin_Lucero

Hi @tristens ,

You can use a combination of Cloud DNS and firewall rules with service labels. This can somehow address the issue of dynamically changing IP addresses for your specific public domain addresses (endpoints).

You'd have to set up Cloud DNS to manage the DNS records for your public domains. This way, even if the IP addresses change, you can update the DNS records to point to the new IP addresses. Then, instead of specifying IP addresses directly in your firewall rules, you can use service labels. Service labels allow you to define a set of IP address ranges associated with specific Google services.

Take note:
- Create a service label for the domain(s) you want to reach. (I will be using 'sample-service-label').
- When creating the firewall rule, use the service label in the "destination" field instead of specifying IP addresses.

For example:

gcloud compute firewall-rules create allow-outbound-to-my-domains \
--direction=EGRESS \
--action=ALLOW \
--rules=tcp:3128 \
--destination-service-accounts=sample-service-label \
--priority=1000 \
--network=my-vpc

When the IP addresses of your domains change, make sure to update the correspnding DNS records in Cloud DNS to match the new IP addresses. This approach simplifies the process, requiring updates only to the DNS records without the need to modify the firewall rules each time. The firewall rule will automatically permit traffic to the IP addresses associated with the specified service label.

View solution in original post

Marvin_Lucero

Hi @tristens ,

You can use a combination of Cloud DNS and firewall rules with service labels. This can somehow address the issue of dynamically changing IP addresses for your specific public domain addresses (endpoints).

You'd have to set up Cloud DNS to manage the DNS records for your public domains. This way, even if the IP addresses change, you can update the DNS records to point to the new IP addresses. Then, instead of specifying IP addresses directly in your firewall rules, you can use service labels. Service labels allow you to define a set of IP address ranges associated with specific Google services.

Take note:
- Create a service label for the domain(s) you want to reach. (I will be using 'sample-service-label').
- When creating the firewall rule, use the service label in the "destination" field instead of specifying IP addresses.

For example:

gcloud compute firewall-rules create allow-outbound-to-my-domains \
--direction=EGRESS \
--action=ALLOW \
--rules=tcp:3128 \
--destination-service-accounts=sample-service-label \
--priority=1000 \
--network=my-vpc

When the IP addresses of your domains change, make sure to update the correspnding DNS records in Cloud DNS to match the new IP addresses. This approach simplifies the process, requiring updates only to the DNS records without the need to modify the firewall rules each time. The firewall rule will automatically permit traffic to the IP addresses associated with the specified service label.

Firewall Rules: Can I use "domains", not "IPv4" addresses, as the destination filter?