If you’re unable to access a service running on your virtual private server, it’s likely because the firewall in front of it is blocking the ports you need. We’ll show you how to work with and open ports on a Google Cloud Platform firewall.
How Do GCP Firewalls Work?
Compared to other cloud providers, GCP’s firewall system works a little differently. In a regular firewall, like AWS’s security groups, you can manually edit and open ports for any instance that uses that security group. If you just want to open a single port, all you have to do is edit the security group.
For GCP, firewalls are managed using “Firewall Rules,” which are sets of allowed/denied ports with other settings like source IP filter. The firewall rule can be applied to every instance in the account, but you’re supposed to set a “target tag,” such as “ftp” or “https-server,” which can be added to any compute engine instance to open the specified ports.
What you end up with is a system where you can manage firewall rules based on application necessity, making it much easier to understand why ports are open. Of course, if you want to just make a firewall rule with a unique tag for your instance and manage ports directly, you can do that as well.
Opening Ports with Firewall Rules
From the Compute Engine console, click “View Network Details” on the instance.
Click on “Firewall Rules” in the sidebar.
Create a new firewall rule.
Give it a name, and choose whether you want to allow or deny traffic. Traffic is implicitly denied by default.
For Target Tags, give the rule a name to identify it. For the source IP range, there isn’t an option for “anywhere,” so you’ll need to manually type in
0.0.0.0/0—CIDR notation for all possible IP addresses.
Under Protocols and ports, you can open everything (a bad idea), or select a protocol and port number. You can type in multiple port numbers with commas, or specify other protocols besides tcp and udp.
Create the rule, and head back over to Compute Engine to apply it. Click on the instance to view the details, and click “Edit” to edit the network tags.
Under “Network Tags,” add the tag for the rule you just added.
Once saved, the firewall updates should be reflected automatically.
If your application still isn’t available on the ports you opened, you might want to check or disable any on-device firewalls, like
ufw, to make sure that they aren’t conflicting with GCPs.