explainx.ainewsletter3.4k
implementing-gcp-vpc-firewall-rules

implementing-gcp-vpc-firewall-rules

mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026

MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.

$npx skills install mukul975/Anthropic-Cybersecurity-Skills/implementing-gcp-vpc-firewall-rules
0 commentsdiscussion
summary

Implementing and auditing GCP VPC firewall rules to enforce network segmentation, restrict ingress and egress traffic, apply hierarchical firewall policies across the organization, and monitor firewall rule effectiveness using VPC Flow Logs.

skill.md
name
implementing-gcp-vpc-firewall-rules
description
'Implementing and auditing GCP VPC firewall rules to enforce network segmentation, restrict ingress and egress traffic, apply hierarchical firewall policies across the organization, and monitor firewall rule effectiveness using VPC Flow Logs. '
domain
cybersecurity
subdomain
cloud-security
tags
- cloud-security - gcp - vpc - firewall-rules - network-security - segmentation
version
'1.0'
author
mahipal
license
Apache-2.0
nist_csf
- PR.IR-01 - ID.AM-08 - GV.SC-06 - DE.CM-01

Implementing GCP VPC Firewall Rules

When to Use

  • When deploying new GCP workloads that require network-level access controls
  • When auditing existing firewall configurations for overly permissive rules
  • When implementing zero trust network segmentation within GCP VPC networks
  • When responding to Security Command Center findings about open firewall rules
  • When building hierarchical firewall policies across a GCP organization

Do not use for application-layer filtering (use Cloud Armor WAF), for DNS-based filtering (use Cloud DNS response policies), or for VPN/interconnect traffic filtering without understanding that VPC firewall rules apply to traffic within the VPC.

Prerequisites

  • GCP project with Compute Engine API enabled
  • IAM roles: roles/compute.securityAdmin for firewall management, roles/compute.networkViewer for auditing
  • Organization Admin role for hierarchical firewall policies
  • gcloud CLI authenticated with appropriate permissions
  • VPC Flow Logs enabled on target subnets for monitoring

Workflow

Step 1: Audit Existing Firewall Rules for Security Gaps

Enumerate all firewall rules and identify overly permissive configurations.

# List all firewall rules in the project
gcloud compute firewall-rules list \
  --format="table(name, network, direction, priority, allowed[].map().firewall_rule().list():label=ALLOWED, sourceRanges, targetTags)"

# Find rules allowing all traffic from 0.0.0.0/0
gcloud compute firewall-rules list \
  --filter="direction=INGRESS AND sourceRanges=0.0.0.0/0" \
  --format="table(name, network, allowed, priority, targetTags)" \
  --sort-by=priority

# Find rules allowing all protocols and ports
gcloud compute firewall-rules list \
  --filter="direction=INGRESS AND allowed[].IPProtocol=all" \
  --format="table(name, network, sourceRanges, targetTags)"

# Find rules with SSH (22) or RDP (3389) open to the internet
gcloud compute firewall-rules list \
  --filter="direction=INGRESS AND sourceRanges=0.0.0.0/0 AND (allowed[].ports=22 OR allowed[].ports=3389)" \
  --format="table(name, network, allowed, sourceRanges)"

# Check for disabled rules
gcloud compute firewall-rules list \
  --filter="disabled=true" \
  --format="table(name, network, direction)"

Step 2: Create Restrictive Ingress Firewall Rules

Implement least-privilege ingress rules using network tags and service accounts for targeting.

# Create rule allowing HTTPS from the internet to web servers only
gcloud compute firewall-rules create allow-https-web \
  --network=production-vpc \
  --direction=INGRESS \
  --action=ALLOW \
  --rules=tcp:443 \
  --source-ranges=0.0.0.0/0 \
  --target-tags=web-server \
  --priority=1000 \
  --description="Allow HTTPS to web servers from internet"

# Create rule allowing SSH only from bastion host subnet
gcloud compute firewall-rules create allow-ssh-bastion \
  --network=production-vpc \
  --direction=INGRESS \
  --action=ALLOW \
  --rules=tcp:22 \
  --source-ranges=10.0.1.0/24 \
  --target-tags=ssh-allowed \
  --priority=1000 \
  --description="Allow SSH only from bastion subnet"

# Create rule allowing internal communication between app tiers
gcloud compute firewall-rules create allow-app-to-db \
  --network=production-vpc \
  --direction=INGRESS \
  --action=ALLOW \
  --rules=tcp:5432 \
  --source-tags=app-server \
  --target-tags=db-server \
  --priority=1000 \
  --description="Allow PostgreSQL from app tier to database tier"

# Create service-account-based rule (more secure than tags)
gcloud compute firewall-rules create allow-api-internal \
  --network=production-vpc \
  --direction=INGRESS \
  --action=ALLOW \
  --rules=tcp:8080 \
  --source-service-accounts=api-client@project.iam.gserviceaccount.com \
  --target-service-accounts=api-server@project.iam.gserviceaccount.com \
  --priority=1000

Step 3: Implement Egress Restrictions

Configure egress firewall rules to control outbound traffic and prevent data exfiltration.

# Deny all egress by default (low priority)
gcloud compute firewall-rules create deny-all-egress \
  --network=production-vpc \
  --direction=EGRESS \
  --action=DENY \
  --rules=all \
  --destination-ranges=0.0.0.0/0 \
  --priority=65534 \
  --description="Default deny all egress traffic"

# Allow egress to Google APIs via restricted VIP
gcloud compute firewall-rules create allow-google-apis \
  --network=production-vpc \
  --direction=EGRESS \
  --action=ALLOW \
  --rules=tcp:443 \
  --destination-ranges=199.36.153.4/30 \
  --priority=1000 \
  --description="Allow HTTPS to Google APIs restricted VIP"

# Allow DNS resolution
gcloud compute firewall-rules create allow-dns-egress \
  --network=production-vpc \
  --direction=EGRESS \
  --action=ALLOW \
  --rules=udp:53,tcp:53 \
  --destination-ranges=169.254.169.254/32,8.8.8.8/32,8.8.4.4/32 \
  --priority=1000 \
  --description="Allow DNS resolution to metadata and Google DNS"

# Allow egress to specific external services
gcloud compute firewall-rules create allow-external-apis \
  --network=production-vpc \
  --direction=EGRESS \
  --action=ALLOW \
  --rules=tcp:443 \
  --destination-ranges=PARTNER_CIDR/32 \
  --target-tags=api-client \
  --priority=1000

Step 4: Deploy Hierarchical Firewall Policies

Create organization and folder-level firewall policies that apply across all projects.

# Create an organization-level firewall policy
gcloud compute firewall-policies create \
  --organization=ORG_ID \
  --short-name=org-security-policy \
  --description="Organization-wide security firewall policy"

# Add rule to block known malicious IP ranges at org level
gcloud compute firewall-policies rules create 100 \
  --firewall-policy=org-security-policy \
  --organization=ORG_ID \
  --direction=INGRESS \
  --action=deny \
  --src-ip-ranges=THREAT_INTEL_CIDR_1,THREAT_INTEL_CIDR_2 \
  --layer4-configs=all \
  --description="Block known malicious IPs organization-wide"

# Add rule to enforce HTTPS-only ingress at org level
gcloud compute firewall-policies rules create 200 \
  --firewall-policy=org-security-policy \
  --organization=ORG_ID \
  --direction=INGRESS \
  --action=allow \
  --src-ip-ranges=0.0.0.0/0 \
  --layer4-configs=tcp:443 \
  --description="Allow only HTTPS from external sources"

# Associate policy with the organization
gcloud compute firewall-policies associations create \
  --firewall-policy=org-security-policy \
  --organization=ORG_ID

Step 5: Enable VPC Flow Logs for Monitoring

Configure VPC Flow Logs to monitor traffic patterns and validate firewall rule effectiveness.

# Enable flow logs on a subnet
gcloud compute networks subnets update production-subnet \
  --region=us-central1 \
  --enable-flow-logs \
  --logging-aggregation-interval=interval-5-sec \
  --logging-flow-sampling=1.0 \
  --logging-metadata=include-all

# Query flow logs in Cloud Logging for denied traffic
gcloud logging read '
  resource.type="gce_subnetwork"
  AND jsonPayload.disposition="DENIED"
  AND timestamp>="2026-02-22T00:00:00Z"
' --limit=50 --format=json

# Find traffic hitting overly permissive rules
gcloud logging read '
  resource.type="gce_subnetwork"
  AND jsonPayload.rule_details.reference:"/firewall-rules/default-allow-"
' --limit=100 --format="table(jsonPayload.connection.src_ip,jsonPayload.connection.dest_ip,jsonPayload.connection.dest_port)"

# Export flow logs to BigQuery for analysis
gcloud logging sinks create vpc-flow-bq \
  bigquery.googleapis.com/projects/PROJECT/datasets/vpc_flow_logs \
  --log-filter='resource.type="gce_subnetwork"'

Key Concepts

TermDefinition
VPC Firewall RuleStateful network-level access control that allows or denies traffic to and from VM instances based on IP ranges, protocols, ports, and tags
Hierarchical Firewall PolicyOrganization or folder-level firewall policy that is evaluated before VPC-level rules and applies across all child projects
Network TagLabel applied to VM instances that determines which firewall rules apply, used for targeting ingress and egress rules
Service Account Firewall RuleFirewall rule that targets instances based on their attached service account, providing more secure targeting than mutable network tags
VPC Flow LogsNetwork telemetry captured at the subnet level that records traffic metadata for monitoring, forensics, and firewall rule validation
Implied RulesDefault GCP firewall rules that allow egress to all destinations and deny ingress from all sources, with lowest priority (65535)

Tools & Systems

  • gcloud compute firewall-rules: CLI commands for creating, listing, and managing VPC firewall rules in GCP
  • Hierarchical Firewall Policies: Organization and folder-level policies enforcing security controls across all projects
  • VPC Flow Logs: Subnet-level traffic logging for monitoring, troubleshooting, and validating firewall effectiveness
  • Cloud Logging: Query engine for analyzing VPC Flow Logs and firewall rule hit counts
  • Security Command Center: GCP-native security platform with findings for overly permissive firewall configurations

Common Scenarios

Scenario: Locking Down a Production VPC After Discovery of Overly Permissive Rules

Context: A security audit reveals that the production VPC has default-allow rules permitting SSH from 0.0.0.0/0 and unrestricted egress. SCC reports 14 firewall findings.

Approach:

  1. Enumerate all existing rules with gcloud compute firewall-rules list and categorize by risk
  2. Enable VPC Flow Logs on all subnets to capture baseline traffic patterns for 7 days
  3. Analyze flow logs to identify legitimate traffic that needs explicit allow rules
  4. Create targeted ingress rules for each application tier (web: 443, app: 8080, db: 5432)
  5. Replace the SSH-from-anywhere rule with SSH-from-bastion-subnet-only
  6. Implement default-deny egress and add explicit allow rules for required outbound destinations
  7. Delete the overly permissive default-allow rules after verifying applications function correctly

Pitfalls: Deleting firewall rules without understanding traffic patterns causes outages. Always enable flow logs and analyze traffic before removing rules. Network tags can be added by anyone with compute.instances.setTags permission, making them less secure than service-account-based targeting for critical rules.

Output Format

GCP VPC Firewall Audit Report
================================
Project: production-project
VPC Network: production-vpc
Audit Date: 2026-02-23

RULE INVENTORY:
  Total firewall rules: 34
  Ingress rules: 22
  Egress rules: 12
  Disabled rules: 3

CRITICAL FINDINGS:
[FW-001] SSH Open to Internet
  Rule: default-allow-ssh
  Source: 0.0.0.0/0 -> tcp:22
  Target: All instances (no tags)
  Priority: 65534
  Remediation: Restrict to bastion subnet CIDR

[FW-002] No Egress Restrictions
  Issue: Only implied allow-all-egress rule exists
  Risk: No controls on outbound data exfiltration
  Remediation: Add default-deny egress and explicit allow rules

REMEDIATION ACTIONS COMPLETED:
  Rules deleted: 3 (overly permissive defaults)
  Rules created: 8 (targeted allow rules)
  Egress deny rule: Created at priority 65534
  Flow logs enabled: 6 subnets
how to use implementing-gcp-vpc-firewall-rules

How to use implementing-gcp-vpc-firewall-rules on Cursor

AI-first code editor with Composer

1

Prerequisites

Before installing skills in Cursor, ensure your development environment meets these requirements:

  • Cursor installed and configured on your development machine
  • Node.js version 16.0+ with npm package manager (verify with node --version)
  • Active project directory or workspace where you want to add implementing-gcp-vpc-firewall-rules
2

Execute installation command

Execute the skills CLI command in your project's root directory to begin installation:

$npx skills install mukul975/Anthropic-Cybersecurity-Skills/implementing-gcp-vpc-firewall-rules

The skills CLI fetches implementing-gcp-vpc-firewall-rules from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.

3

Select Cursor when prompted

The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:

◆ Which agents do you want to install to?
│ ── Universal (.agents/skills) ── always included ────
│ • Amp
│ • Antigravity
│ • Cline
│ • Codex
│ ●Cursor(selected)
│ • Cursor
│ • Windsurf
4

Verify installation

Confirm successful installation by checking the skill directory location:

.cursor/skills/implementing-gcp-vpc-firewall-rules

Reload or restart Cursor to activate implementing-gcp-vpc-firewall-rules. Access the skill through slash commands (e.g., /implementing-gcp-vpc-firewall-rules) or your agent's skill management interface.

Security & Verification Notice

We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.

Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.

Additional Resources

View source code on GitHubSkills CLI documentationLearn more about CursorWhat are agent skills?

List & Monetize Your Skill

Submit your Claude Code skill and start earning

GET_STARTED →

Use Cases

Task Automation & Efficiency

Automate repetitive workflows and reduce manual effort

Example

Generate reports, summarize documents, draft communications

Save 3-5 hours per week on routine tasks

Knowledge Enhancement

Learn new skills, understand complex topics, get expert guidance

Example

Explain concepts, provide examples, suggest learning resources

Accelerate learning and skill development by 2x

Quality Improvement

Enhance output quality through reviews, suggestions, and refinements

Example

Review drafts, suggest improvements, catch errors

Improve work quality by 30-40% with less effort

Implementation Guide

Prerequisites

  • Claude Desktop or compatible AI client with skill support
  • Clear understanding of task or problem to solve
  • Willingness to iterate and refine outputs

Time Estimate

15-45 minutes depending on use case complexity

Installation Steps

  1. 1.Install skill using provided installation command
  2. 2.Test with simple use case relevant to your work
  3. 3.Evaluate output quality and relevance
  4. 4.Iterate on prompts to improve results
  5. 5.Integrate into regular workflow if valuable

Common Pitfalls

  • Expecting perfect results without iteration
  • Not providing enough context in prompts
  • Using skill for tasks outside its intended scope
  • Accepting outputs without review and validation

Best Practices

✓ Do

  • +Start with clear, specific prompts
  • +Provide relevant context and constraints
  • +Review and refine all outputs before using
  • +Iterate to improve output quality
  • +Document successful prompt patterns

✗ Don't

  • Don't use without understanding skill limitations
  • Don't skip validation of outputs
  • Don't share sensitive information in prompts
  • Don't expect skill to replace human judgment

💡 Pro Tips

  • Be specific about desired format and style
  • Ask for multiple options to choose from
  • Request explanations to understand reasoning
  • Combine AI efficiency with human expertise

When to Use This

✓ Use When

Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.

✗ Avoid When

Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.

Learning Path

  1. 1Familiarize yourself with skill capabilities and limitations
  2. 2Start with low-risk, non-critical tasks
  3. 3Progress to more complex and valuable use cases
  4. 4Build expertise through regular use and experimentation

Discussion

Product Hunt–style comments (not star reviews)
  • No comments yet — start the thread.
general reviews

Ratings

4.729 reviews
  • Dhruvi Jain· Dec 16, 2024

    implementing-gcp-vpc-firewall-rules is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.

  • Naina Jackson· Dec 16, 2024

    implementing-gcp-vpc-firewall-rules fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.

  • Mei Wang· Dec 16, 2024

    Registry listing for implementing-gcp-vpc-firewall-rules matched our evaluation — installs cleanly and behaves as described in the markdown.

  • Piyush G· Nov 27, 2024

    Keeps context tight: implementing-gcp-vpc-firewall-rules is the kind of skill you can hand to a new teammate without a long onboarding doc.

  • Oshnikdeep· Nov 7, 2024

    Useful defaults in implementing-gcp-vpc-firewall-rules — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.

  • Meera Chen· Nov 7, 2024

    I recommend implementing-gcp-vpc-firewall-rules for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.

  • Mei Jackson· Nov 7, 2024

    implementing-gcp-vpc-firewall-rules reduced setup friction for our internal harness; good balance of opinion and flexibility.

  • Ganesh Mohane· Oct 26, 2024

    Registry listing for implementing-gcp-vpc-firewall-rules matched our evaluation — installs cleanly and behaves as described in the markdown.

  • Henry Verma· Oct 26, 2024

    Solid pick for teams standardizing on skills: implementing-gcp-vpc-firewall-rules is focused, and the summary matches what you get after install.

  • Aisha Jackson· Oct 26, 2024

    implementing-gcp-vpc-firewall-rules is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.

showing 1-10 of 29

1 / 3