B4J Tutorial [GCE] For Noobs, Part 11 - Firewall

If you have gotten this far then you have already tried to access your web app or socket app from your desktop and discovered that nothing seems to be working. This is almost certainly due to a firewall rule being missing.

GCE VMs are relatively secure and locked down in terms of external access and sending emails (more on emails later) and you are responsible for allowing access into and out of the server. This is all done through the firewall that comes free with your account.

What is a firewall then? A firewall, in simple terms, is a service or a device that polices network traffic coming into and out of a network. It is commonly used to restrict network traffic and it does this using rules. If some network traffic breaks the rules the policeman (the firewall) jails it (blocks the traffic). Of course, firewalls are bit more complicated than this and the rules can be made more specific so as to target a single server in a network containing 100’s of servers - but that’s outside the scope of this tutorial.

What we will cover in this tutorial is how to create a firewall rule.

Firewall Rules
For you console app to be accessible to the world we need to allow the outside world traffic to come in to the server. But, we don’t want everything coming in as that would make the server vulnerable to other forms of abuse by attackers.

In Part 6 we discussed the steps required to install MySQL onto your server. If you want to access the MySQL database from outside the network, such as your home computer, a firewall rule will need to be created to allow traffic on Port 3306.

The same steps outlined in this tutorial can be used to open any Port for TCP or UDP traffic. The most common protocol used for network traffic is TCP. UDP is used frequently for data that does not need to be ‘guaranteed’ to be successfully delivered. TCP and UDP protocols are outside the scope of this tutorial.

Add A Firewall Rule
Let’s now create a firewall rule to allow traffic to come in to the network so that MySQL can be accessed externally (like from your home computer). Remember, the following steps can be used to open other ports!!
  • Click on the ‘hamburger’ menu on the GCP console (circled in the image below) and then scroll down until you find the menu option ‘VPC network’ (again circled in the image below), expand the side menu and then click ‘Firewall rules’

    cLrzZycTKSEViBZQ2iS3gNnMMvUD5dVH2rEvbWWFXm6rPqMDJgCbYngxStDcQcpc6LmYoSwZRAMNOkTOu6lVR-RpmUJW0hKnnKuPJt5ywLsZut1UzdDA623_437qppfnPrRTgjW0


  • Your screen will now show the existing firewall rules that GCE has applied to your network. Below is an example of the rules that have been created for my network.

    I would HIGHLY ADVISE to leave these rules alone as deleting or changing them may break the services your are trying to create.

    GY2D5LiJnKZh02GBwPbW8nLbhTjSYAjUkjOzhaDThDcqbBTWFsxbL4gdm3R4ILbu8HL_P-4uZctrbvkYCMRtfCUJmpBHiK7ETk_DQUeQprqNoGj2bEE3rLGSY7MH0uP6lyPKP97T


  • Click the ‘CREATE FIREWALL RULE’ - as shown in the image below

    gIOhgRY2SSy4ZHzjQ_4EgFWB0GqVkh0omZ260Gfva1DcwtfkmgHOjXbaeexOCn6zPJLUcdAOrMgXbSFDGT7ANxN7_YJZi1VsfJQqlGN3GSJGObnhlRRdHuMS-5hz8K9gdXyHfM7A


  • Next you will need to fill out some details that will enable GCE to add a new rule to your existing list. Below is a working example of how to create a firewall rule that will allow MySQL to be accessed externally.

    PMlaB16hmUCTzA3NppOzGOH-GAmPPZ8GrFlCrqJA9MgPESwwyfgHPiDx_yI3swKBG1cTJVmhOLRKOhi8FZYu8N9m-zy3z3aFGo7gU7Hzq5WbKh1NeITqPIyLc0ymhpaVBYPDB31r

    Below, I have listed the fields that have been changed to create the rule.

    Name
    This is the name of the rule. No spaces are permitted and this is the name that is shown on the Firewall rules pages.

    Targets
    This is changed to allow traffic on the Port 3306 to go to all VM instances in your network.

    Source IP ranges
    To keep things simple change this ‘0.0.0.0/0’ which just allows the traffic to come in from any outside source.

    Protocols and ports
    Add ‘tcp:3306’ in the edit box to indicate that Port 3306 should be allowed for the TCP protocol.
    Note: this is where you can change the port to something else that you may need opened for your service.

  • Click the Create button to create your new rule. After a moment the new rule will be added to your list and is ready. If you are familiar with MySQL Workbench and making connections then you can now access the database on your server.

    Below is what my firewall rule list looks like after creating the rule

    CJZqRwoagAMDbqjVl7qYojk9l0KYo_CUlIWhoYEhGT3tGUkTOIdpQ_qX_CJ2TNCxTSQ5X4jhB0m58fFhqpRQeFAkSIoXgsBRvLT53aImcxonc4CDtS4sO6iJLwfL_e8wYE3WdoTG

You should now be able to create additional rules as you need them for your network. I may cover some of the ‘advanced’ topics of firewall rules for GCE in a later Noob tutorial.
 
Top