β–ˆβ–ˆFRβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ β–ˆINTELLβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ

Part-52: πŸš€Google Cloud VPC Firewall Rules – Target as Specified Target Tags


This content originally appeared on DEV Community and was authored by Latchu@DevOps

Step-01: Introduction

Unlike β€œAll Instances,” using Target Tags allows you to apply firewall rules only to VMs that carry specific tags.

This is a best practice for production because:

  • You control which VMs receive traffic.
  • You avoid exposing every VM in the VPC.

In this lab:

  1. Deploy VM with a webserver.
  2. Try to access it β†’ fails (no firewall rule).
  3. Create firewall rule targeting tag = mywebserver.
  4. Apply the tag to the VM.
  5. Access again β†’ works.

Step-02: Create VM Instance

Upload nginx-webserver.sh to Cloud Shell.

#!/bin/bash
sudo apt install -y telnet
sudo apt install -y nginx
sudo systemctl enable nginx
sudo chmod -R 755 /var/www/html
HOSTNAME=$(hostname)
sudo echo "<!DOCTYPE html> <html> 
<body style='background-color:rgb(250, 210, 210);'> 
<h1>Welcome to Latchu@DevOps - WebVM App1 </h1> 
<p><strong>VM Hostname:</strong> $HOSTNAME</p> 
<p><strong>VM IP Address:</strong> $(hostname -I)</p> 
<p><strong>Application Version:</strong> V1</p> 
<p>Google Cloud Platform - Demos</p> 
</body></html>" | sudo tee /var/www/html/index.html

Create VM in custom subnet:

gcloud compute instances create myvm2-target-tags \
    --zone=us-central1-a \
    --machine-type=e2-micro \
    --network-interface=subnet=mysubnet1 \
    --metadata-from-file=startup-script=nginx-webserver.sh

Verify VM list:

gcloud compute instances list

Test before firewall rule:

telnet <EXTERNAL_IP> 80   # Should fail
curl <EXTERNAL_IP>        # Should fail

f1

Observation: App not reachable β†’ blocked by implied ingress deny.

f2

Step-03: Create Ingress Firewall Rule

Go to VPC Networks β†’ vpc2-custom β†’ FIREWALLS β†’ ADD FIREWALL RULE.

f3

  • Name: fw-ingress-80-target-tags
  • Description: Allow inbound port 80 for specified target tags
  • Network: vpc2-custom
  • Priority: 1000
  • Direction: Ingress
  • Action on match: Allow
  • Targets: Specified target tags
  • Target tags: mywebserver
  • Source filter: IPv4 ranges
  • Source IPv4 range: 0.0.0.0/0
  • Protocols and ports: TCP β†’ 80

f4

Click Create.

f5

Step-04: Apply Tags to VM and Access App

Add tag to VM:

gcloud compute instances add-tags myvm2-target-tags \
    --zone us-central1-a \
    --tags mywebserver

f6

Verify tag attached:

gcloud compute instances describe myvm2-target-tags --zone=us-central1-a

Or check in VM details tab in Console.

f7

Test after applying tag:

telnet <EXTERNAL_IP> 80   # Should connect
curl <EXTERNAL_IP>        # Should return HTML page

Browser:

http://<EXTERNAL-IP>

Observation: Application now loads β†’ firewall rule works because VM has correct tag.

f8

Step-05: Cleanup 

# Delete firewall rule
gcloud compute firewall-rules delete fw-ingress-80-target-tags 

# Delete VM
gcloud compute instances delete myvm2-target-tags \
    --zone=us-central1-a --delete-disks=all

f9

✅ Key Learning:

  • Target = All Instances: Broad, less secure, all VMs in VPC affected.
  • Target = Tags: Granular, secure, only VMs with the tag are exposed.
  • Best practice: Always use tags or service accounts to scope firewall rules in production.


This content originally appeared on DEV Community and was authored by Latchu@DevOps