CoursesGCP securityNetwork & VPC Service Controls

VPC firewall & private access

SA-targeted rules, hierarchical policies, no public IPs.

Advanced30 min · lesson 4 of 15

GCP networking gives you identity-aware firewalling and org-level firewall guardrails that go beyond simple IP rules. The goal, as everywhere, is default-closed: nothing reachable until you open the smallest necessary path.

Firewall rules by identity, guardrails by hierarchy

VPC firewall rules are stateful and can target instances by network tag or, better, by service account — and SA-based targeting is harder to abuse, because adding a network tag needs less privilege than changing an instance’s identity. Above per-VPC rules, hierarchical firewall policies let the org or a folder enforce rules that every project inherits and cannot override, such as denying SSH/RDP from the internet everywhere. Put internet-facing load balancers in front and keep workloads on internal IPs.

SA-targeted rule + an inherited org guardrail
# Allow Postgres to the DB tier ONLY from the app tier's service account.
gcloud compute firewall-rules create allow-app-to-db \
--network=prod-vpc --direction=INGRESS --action=ALLOW --rules=tcp:5432 \
--source-service-accounts=app@payments-prod.iam.gserviceaccount.com \
--target-service-accounts=db@payments-prod.iam.gserviceaccount.com
# Org-level hierarchical policy: deny inbound RDP from anywhere, everywhere.
gcloud compute firewall-policies rules create 1000 \
--firewall-policy=org-baseline --direction=INGRESS --action=deny \
--layer4-configs=tcp:3389 --src-ip-ranges=0.0.0.0/0

Private access and controlled egress

Give VMs no external IPs and use Private Google Access so they still reach Google APIs over internal paths, Private Service Connect to reach managed and partner services privately, and Cloud NAT for controlled outbound without exposing instances to inbound. Shared VPC then lets a central network team own the security-critical topology while service projects merely attach — separating network administration from the teams deploying workloads.

Default-closed GCP network
guardrails
hierarchical firewall policies
org/folder rules projects inherit
SA-targeted rules
identity, not just IP
private by default
no external IPs + Private Google Access
reach APIs internally
Private Service Connect
managed/partner services, privately
Cloud NAT
controlled egress, no inbound
Inherit baseline rules from the top, target by identity, keep workloads private, and control what leaves. Public exposure is opt-in, not default.
A VM with an external IP is an attack surface
Every external IP is a directly-reachable target. Default to no external IP, use Cloud NAT or a bastion/IAP for the rare inbound need, and enforce the org policy that blocks external IPs so a single misconfigured VM cannot silently expose itself.