X
Popular Searches

How to Open Firewall Ports on a GCP Compute Engine Instance

Google Cloud logo

If you’re unable to access a service running on your virtual private server, it’s likely because the firewall in front of it is blocking the ports you need.  We’ll show you how to work with and open ports on a Google Cloud Platform firewall.

How Do GCP Firewalls Work?

Compared to other cloud providers, GCP’s firewall system works a little differently. In a regular firewall, like AWS’s security groups, you can manually edit and open ports for any instance that uses that security group. If you just want to open a single port, all you have to do is edit the security group.

For GCP, firewalls are managed using “Firewall Rules,” which are sets of allowed/denied ports with other settings like source IP filter. The firewall rule can be applied to every instance in the account, but you’re supposed to set a “target tag,” such as “ftp” or “https-server,” which can be added to any compute engine instance to open the specified ports.

firewall tags

What you end up with is a system where you can manage firewall rules based on application necessity, making it much easier to understand why ports are open. Of course, if you want to just make a firewall rule with a unique tag for your instance and manage ports directly, you can do that as well.

Opening Ports with Firewall Rules

From the Compute Engine console, click “View Network Details” on the instance.

view network details

Click on “Firewall Rules” in the sidebar.

firewall rules

Create a new firewall rule.

create new firewall rule

Give it a name, and choose whether you want to allow or deny traffic. Traffic is implicitly denied by default.

For Target Tags, give the rule a name to identify it. For the source IP range, there isn’t an option for “anywhere,” so you’ll need to manually type in 0.0.0.0/0—CIDR notation for all possible IP addresses.

set tags and source

Under Protocols and ports, you can open everything (a bad idea), or select a protocol and port number. You can type in multiple port numbers with commas, or specify other protocols besides tcp and udp.

firewall ports

Create the rule, and head back over to Compute Engine to apply it. Click on the instance to view the details, and click “Edit” to edit the network tags.

edit instance

Under “Network Tags,” add the tag for the rule you just added.

firewall tags

Once saved, the firewall updates should be reflected automatically.

If your application still isn’t available on the ports you opened, you might want to check or disable any on-device firewalls, like ufw, to make sure that they aren’t conflicting with GCPs.

Anthony Heddings Anthony Heddings
Anthony Heddings is the resident cloud engineer for LifeSavvy Media, a technical writer, programmer, and an expert at Amazon's AWS platform. He's written hundreds of articles for How-To Geek and CloudSavvy IT that have been read millions of times. Read Full Bio »

The above article may contain affiliate links, which help support CloudSavvy IT.