VPC firewall rules logging examples

Virtual Private Cloud (VPC) firewall rules generate log entries when they apply to traffic. While a packet flow can generate multiple log entries, a VPC firewall rule generates at most one log entry per connection from a virtual machine (VM) instance. The following examples show how VPC firewall rules logging works in different scenarios.

Egress deny example

This example shows logging for an egress-deny VPC firewall rule that blocks traffic between two VM instances in the same VPC network.

In this example, traffic flows between VM instances in the example-net VPC network in the example-proj project.

  • The two VM instances are:

    • VM1 in zone us-west1-a with IP address 10.10.0.99 in the west-subnet (us-west1 region).
    • VM2 in zone us-east1-b with IP address 10.20.0.99 in the east-subnet (us-east1 region).

  • Rule A: An egress deny firewall rule has a target of all instances in the network, a destination of 10.20.0.99 (VM2), and applies to TCP port 80. Logging is enabled for this rule.

  • Rule B: An ingress allow firewall rule has a target of all instances in the network, a source of 10.10.0.99 (VM1), and applies to TCP port 80. Logging is also enabled for this rule.

To create the VPC firewall rules, use the following gcloud commands:

  • Rule A: egress deny rule for TCP port 80, applicable to all instances, destination 10.20.0.99:

    gcloud compute firewall-rules create rule-a \
    --network example-net \
    --action deny \
    --direction EGRESS \
    --rules tcp:80 \
    --destination-ranges 10.20.0.99/32 \
    --priority 10 \
    --enable-logging

  • Rule B: ingress allow rule for TCP port 80, applicable to all instances, source 10.10.0.99:

    gcloud compute firewall-rules create rule-b \
    --network example-net \
    --action allow \
    --direction INGRESS \
    --rules tcp:80 \
    --source-ranges 10.10.0.99/32 \
    --priority 10 \
    --enable-logging
Egress deny rule blocks connection from VM1 to VM2.
Egress deny rule blocks connection from VM1 to VM2 (click to enlarge).

In a scenario where VM1 attempts to connect to VM2 on TCP port 80, the following happens:

  • A log entry for rule A from the perspective of VM1 is generated while VM1 attempts to connect to 10.20.0.99 (VM2).
  • Because rule A blocks the traffic, rule B isn't considered, so there is no log entry for rule B from the perspective of VM2.

VM1 reports the following VPC firewall rule log record:

Field Values
connection src_ip=10.10.0.99
src_port=[EPHEMERAL_PORT]
dest_ip=10.20.0.99
dest_port=80
protocol=6
disposition DENIED
rule_details reference = "network:example-net/firewall:rule-a"
priority = 10
action = DENY
destination_range = 10.20.0.99/32
ip_port_info = tcp:80
direction = egress
instance project_id="example-proj"
instance_name=VM1
region=us-west1
zone=us-west1-a
vpc project_id="example-proj"
vpc_name=example-net
subnetwork_name=west-subnet
remote_instance project_id="example-proj"
instance_name=VM2
region=us-east1
zone=us-east1-b
remote_vpc project_id="example-proj"
vpc_name=example-net
subnetwork_name=east-subnet
remote_location No information. This field is only used if the destination is outside your VPC network.

Egress allow, ingress allow example

This example shows logging for an egress-allow VPC firewall rule and an ingress-allow VPC firewall rule that together permit traffic between two VM instances in the same VPC network.

In this example, traffic flows between VM instances in the example-net VPC network in the example-proj project.

  • The two VM instances are:

    • VM1 in zone us-west1-a with IP address 10.10.0.99 in the west-subnet (us-west1 region).
    • VM2 in zone us-east1-b with IP address 10.20.0.99 in the east-subnet (us-east1 region).

  • Rule A: An egress allow firewall rule has a target of all instances in the network, a destination of 10.20.0.99 (VM2), and applies to TCP port 80. Logging is enabled for this rule.

  • Rule B: An ingress allow firewall rule has a target of all instances in the network, a source of 10.10.0.99 (VM1), and applies to TCP port 80. Logging is also enabled for this rule.

To create the VPC firewall rules, use the following gcloud commands:

  • Rule A: egress allow rule for TCP port 80, applicable to all instances, destination 10.20.0.99 (VM2):

    gcloud compute firewall-rules create rule-a \
    --network example-net \
    --action allow \
    --direction EGRESS \
    --rules tcp:80 \
    --destination-ranges 10.20.0.99/32 \
    --priority 10 \
    --enable-logging

  • Rule B: ingress allow rule for TCP port 80, applicable to all instances, source 10.10.0.99 (VM1):

    gcloud compute firewall-rules create rule-b \
    --network example-net \
    --action allow \
    --direction INGRESS \
    --rules tcp:80 \
    --source-ranges 10.10.0.99/32 \
    --priority 10 \
    --enable-logging
Egress allow and ingress allow rules permit connection from VM1 to VM2.
Egress allow and ingress allow rules permit connection from VM1 to VM2 (click to enlarge).

In a scenario where VM1 attempts to connect to VM2 on TCP port 80, the following happens:

  • A log entry for rule A from the perspective of VM1 is generated while VM1 connects to 10.20.0.99 (VM2).
  • A log entry for rule B from the perspective of VM2 is generated while VM2 allows incoming connections from 10.10.0.99 (VM1).

VM1 reports the following VPC firewall rule log record:

Field Values
connection src_ip=10.10.0.99
src_port=[EPHEMERAL_PORT]
dest_ip=10.20.0.99
dest_port=80
protocol=6
disposition ALLOWED
rule_details reference = "network:example-net/firewall:rule-a"
priority = 10
action = ALLOW
destination_range = 10.20.0.99/32
ip_port_info = tcp:80
direction = egress
instance project_id="example-proj"
instance_name=VM1
region=us-west1
zone=us-west1-a
vpc project_id="example-proj"
vpc_name=example-net
subnetwork_name=west-subnet
remote_instance project_id="example-proj"
instance_name=VM2
region=us-east1
zone=us-east1-b
remote_vpc project_id="example-proj"
vpc_name=example-net
subnetwork_name=east-subnet
remote_location No information. This field is only used if the destination is outside your VPC network.

VM2 reports the following VPC firewall rule log record:

Field Values
connection src_ip=10.10.0.99
src_port=[EPHEMERAL_PORT]
dest_ip=10.20.0.99
dest_port=80
protocol=6
disposition ALLOWED
rule_details reference = "network:example-net/firewall:rule-b"
priority = 10
action = ALLOW
source_range = 10.10.0.99/32
ip_port_info = tcp:80
direction = ingress
instance project_id="example-proj"
instance_name=VM2
region=us-east1
zone=us-east1-b
vpc project_id="example-proj"
vpc_name=example-net
subnetwork_name=east-subnet
remote_instance project_id="example-proj"
instance_name=VM1
region=us-west1
zone=us-west1-a
remote_vpc project_id="example-proj"
vpc_name=example-net
subnetwork_name=west-subnet
remote_location No information. This field is only used if the destination is outside your VPC network.

Internet ingress example

This example shows logging for an ingress-allow firewall rule that permits traffic from the internet to a VM instance. It also shows how stateful firewall behavior affects an egress-deny rule.

In this example, traffic flows from an external resource to a VM instance within the example-net VPC network. The network is in the example-proj project.

  • The system on the internet has IP address 203.0.113.114.
  • VM1 in zone us-west1-a has IP address 10.10.0.99 in the west-subnet (us-west1 region).
  • Rule C: An ingress allow firewall rule has a target of all instances in the network, a source of any IP address (0.0.0.0/0), and applies to TCP port 80. Logging is enabled for this rule.
  • Rule D: An egress deny firewall rule has a target of all instances in the network, a destination of any IP address (0.0.0.0/0), and applies to all protocols. Logging is enabled for this rule.

To create the VPC firewall rules, use the following gcloud commands:

  • Rule C: ingress allow rule for TCP port 80, applicable to all instances, any source:

    gcloud compute firewall-rules create rule-c \
    --network example-net \
    --action allow \
    --direction INGRESS \
    --rules tcp:80 \
    --source-ranges 0.0.0.0/0 \
    --priority 10 \
    --enable-logging

  • Rule D: egress deny rule for all protocols, applicable to all instances, any destination:

    gcloud compute firewall-rules create rule-d \
    --network example-net \
    --action deny \
    --direction EGRESS \
    --rules all \
    --destination-ranges 0.0.0.0/0 \
    --priority 10 \
    --enable-logging
Ingress allow rule permits connection from internet to VM1.
Internet to VM connection (click to enlarge).

In a scenario where system with IP address 203.0.113.114 attempts to connect to VM1 on TCP port 80, the following happens:

  • VM1 generates a log entry for rule C while it accepts traffic from 203.0.113.114.
  • Despite rule D, VM1 can reply to the incoming request because Cloud de Confiance firewall rules are stateful. If the incoming request is allowed, no egress rule can block established responses.
  • Because rule D doesn't apply, the system doesn't consider it, so there is no log entry for rule D.

VM1 reports the following VPC firewall rule log record:

Field Values
connection src_ip=203.0.113.114
src_port=[EPHEMERAL_PORT]
dest_ip=10.10.0.99
dest_port=80
protocol=6
disposition ALLOWED
rule_details reference = "network:my-vpc/firewall:rule-c"
priority = 10
action = ALLOW
source_range = 0.0.0.0/0
ip_port_info = tcp:80
direction = ingress
instance project_id="example-proj"
instance_name=VM1
region=us-west1
zone=us-west1-a
vpc project_id="example-proj"
vpc_name=example-net
subnetwork_name=west-subnet
remote_location continent
country
region
city

What's next