Implementing and auditing GCP VPC firewall rules to enforce network segmentation, restrict ingress and egress traffic, apply hierarchical firewall policies across the organization, and monitor firewall rule effectiveness using VPC Flow Logs.
Works with
AI-first code editor with Composer
Before installing skills in Cursor, ensure your development environment meets these requirements:
node --versionimplementing-gcp-vpc-firewall-rulesExecute the skills CLI command in your project's root directory to begin installation:
Fetches implementing-gcp-vpc-firewall-rules from mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.
The CLI shows a list of agents. Use arrow keys and space to select Cursor:
Confirm successful installation by checking the skill directory location:
Restart Cursor to activate implementing-gcp-vpc-firewall-rules. Access via /implementing-gcp-vpc-firewall-rules in your agent's command palette.
We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.
Skills execute code in your environment. Always review source, verify the publisher, and test in isolation before production.
Submit your Claude Code skill and start earning
Automate repetitive workflows and reduce manual effort
Example
Generate reports, summarize documents, draft communications
Save 3-5 hours per week on routine tasks
Learn new skills, understand complex topics, get expert guidance
Example
Explain concepts, provide examples, suggest learning resources
Accelerate learning and skill development by 2x
Enhance output quality through reviews, suggestions, and refinements
Example
Review drafts, suggest improvements, catch errors
Improve work quality by 30-40% with less effort
0
total installs
0
this week
8.6K
GitHub stars
0
upvotes
Run in your terminal
0
installs
0
this week
8.6K
stars
| name | implementing-gcp-vpc-firewall-rules |
| description | 'Implementing and auditing GCP VPC firewall rules to enforce network segmentation, restrict ingress and egress traffic, apply hierarchical firewall policies across the organization, and monitor firewall rule effectiveness using VPC Flow Logs. ' |
| domain | cybersecurity |
| subdomain | cloud-security |
| tags | - cloud-security - gcp - vpc - firewall-rules - network-security - segmentation |
| version | '1.0' |
| author | mahipal |
| license | Apache-2.0 |
| nist_csf | - PR.IR-01 - ID.AM-08 - GV.SC-06 - DE.CM-01 |
Do not use for application-layer filtering (use Cloud Armor WAF), for DNS-based filtering (use Cloud DNS response policies), or for VPN/interconnect traffic filtering without understanding that VPC firewall rules apply to traffic within the VPC.
roles/compute.securityAdmin for firewall management, roles/compute.networkViewer for auditingEnumerate all firewall rules and identify overly permissive configurations.
# List all firewall rules in the project
gcloud compute firewall-rules list \
--format="table(name, network, direction, priority, allowed[].map().firewall_rule().list():label=ALLOWED, sourceRanges, targetTags)"
# Find rules allowing all traffic from 0.0.0.0/0
gcloud compute firewall-rules list \
--filter="direction=INGRESS AND sourceRanges=0.0.0.0/0" \
--format="table(name, network, allowed, priority, targetTags)" \
--sort-by=priority
# Find rules allowing all protocols and ports
gcloud compute firewall-rules list \
--filter="direction=INGRESS AND allowed[].IPProtocol=all" \
--format="table(name, network, sourceRanges, targetTags)"
# Find rules with SSH (22) or RDP (3389) open to the internet
gcloud compute firewall-rules list \
--filter="direction=INGRESS AND sourceRanges=0.0.0.0/0 AND (allowed[].ports=22 OR allowed[].ports=3389)" \
--format="table(name, network, allowed, sourceRanges)"
# Check for disabled rules
gcloud compute firewall-rules list \
--filter="disabled=true" \
--format="table(name, network, direction)"
Implement least-privilege ingress rules using network tags and service accounts for targeting.
# Create rule allowing HTTPS from the internet to web servers only
gcloud compute firewall-rules create allow-https-web \
--network=production-vpc \
--direction=INGRESS \
--action=ALLOW \
--rules=tcp:443 \
--source-ranges=0.0.0.0/0 \
--target-tags=web-server \
--priority=1000 \
--description="Allow HTTPS to web servers from internet"
# Create rule allowing SSH only from bastion host subnet
gcloud compute firewall-rules create allow-ssh-bastion \
--network=production-vpc \
--direction=INGRESS \
--action=ALLOW \
--rules=tcp:22 \
--source-ranges=10.0.1.0/24 \
--target-tags=ssh-allowed \
--priority=1000 \
--description="Allow SSH only from bastion subnet"
# Create rule allowing internal communication between app tiers
gcloud compute firewall-rules create allow-app-to-db \
--network=production-vpc \
--direction=INGRESS \
--action=ALLOW \
--rules=tcp:5432 \
--source-tags=app-server \
--target-tags=db-server \
--priority=1000 \
--description="Allow PostgreSQL from app tier to database tier"
# Create service-account-based rule (more secure than tags)
gcloud compute firewall-rules create allow-api-internal \
--network=production-vpc \
--direction=INGRESS \
--action=ALLOW \
--rules=tcp:8080 \
--source-service-accounts=api-client@project.iam.gserviceaccount.com \
--target-service-accounts=api-server@project.iam.gserviceaccount.com \
--priority=1000
Configure egress firewall rules to control outbound traffic and prevent data exfiltration.
# Deny all egress by default (low priority)
gcloud compute firewall-rules create deny-all-egress \
--network=production-vpc \
--direction=EGRESS \
--action=DENY \
--rules=all \
--destination-ranges=0.0.0.0/0 \
--priority=65534 \
--description="Default deny all egress traffic"
# Allow egress to Google APIs via restricted VIP
gcloud compute firewall-rules create allow-google-apis \
--network=production-vpc \
--direction=EGRESS \
--action=ALLOW \
--rules=tcp:443 \
--destination-ranges=199.36.153.4/30 \
--priority=1000 \
--description="Allow HTTPS to Google APIs restricted VIP"
# Allow DNS resolution
gcloud compute firewall-rules create allow-dns-egress \
--network=production-vpc \
--direction=EGRESS \
--action=ALLOW \
--rules=udp:53,tcp:53 \
--destination-ranges=169.254.169.254/32,8.8.8.8/32,8.8.4.4/32 \
--priority=1000 \
--description="Allow DNS resolution to metadata and Google DNS"
# Allow egress to specific external services
gcloud compute firewall-rules create allow-external-apis \
--network=production-vpc \
--direction=EGRESS \
--action=ALLOW \
--rules=tcp:443 \
--destination-ranges=PARTNER_CIDR/32 \
--target-tags=api-client \
--priority=1000
Create organization and folder-level firewall policies that apply across all projects.
# Create an organization-level firewall policy
gcloud compute firewall-policies create \
--organization=ORG_ID \
--short-name=org-security-policy \
--description="Organization-wide security firewall policy"
# Add rule to block known malicious IP ranges at org level
gcloud compute firewall-policies rules create 100 \
--firewall-policy=org-security-policy \
--organization=ORG_ID \
--direction=INGRESS \
--action=deny \
--src-ip-ranges=THREAT_INTEL_CIDR_1,THREAT_INTEL_CIDR_2 \
--layer4-configs=all \
--description="Block known malicious IPs organization-wide"
# Add rule to enforce HTTPS-only ingress at org level
gcloud compute firewall-policies rules create 200 \
--firewall-policy=org-security-policy \
--organization=ORG_ID \
--direction=INGRESS \
--action=allow \
--src-ip-ranges=0.0.0.0/0 \
--layer4-configs=tcp:443 \
--description="Allow only HTTPS from external sources"
# Associate policy with the organization
gcloud compute firewall-policies associations create \
--firewall-policy=org-security-policy \
--organization=ORG_ID
Configure VPC Flow Logs to monitor traffic patterns and validate firewall rule effectiveness.
# Enable flow logs on a subnet
gcloud compute networks subnets update production-subnet \
--region=us-central1 \
--enable-flow-logs \
--logging-aggregation-interval=interval-5-sec \
--logging-flow-sampling=1.0 \
--logging-metadata=include-all
# Query flow logs in Cloud Logging for denied traffic
gcloud logging read '
resource.type="gce_subnetwork"
AND jsonPayload.disposition="DENIED"
AND timestamp>="2026-02-22T00:00:00Z"
' --limit=50 --format=json
# Find traffic hitting overly permissive rules
gcloud logging read '
resource.type="gce_subnetwork"
AND jsonPayload.rule_details.reference:"/firewall-rules/default-allow-"
' --limit=100 --format="table(jsonPayload.connection.src_ip,jsonPayload.connection.dest_ip,jsonPayload.connection.dest_port)"
# Export flow logs to BigQuery for analysis
gcloud logging sinks create vpc-flow-bq \
bigquery.googleapis.com/projects/PROJECT/datasets/vpc_flow_logs \
--log-filter='resource.type="gce_subnetwork"'
| Term | Definition |
|---|---|
| VPC Firewall Rule | Stateful network-level access control that allows or denies traffic to and from VM instances based on IP ranges, protocols, ports, and tags |
| Hierarchical Firewall Policy | Organization or folder-level firewall policy that is evaluated before VPC-level rules and applies across all child projects |
| Network Tag | Label applied to VM instances that determines which firewall rules apply, used for targeting ingress and egress rules |
| Service Account Firewall Rule | Firewall rule that targets instances based on their attached service account, providing more secure targeting than mutable network tags |
| VPC Flow Logs | Network telemetry captured at the subnet level that records traffic metadata for monitoring, forensics, and firewall rule validation |
| Implied Rules | Default GCP firewall rules that allow egress to all destinations and deny ingress from all sources, with lowest priority (65535) |
Context: A security audit reveals that the production VPC has default-allow rules permitting SSH from 0.0.0.0/0 and unrestricted egress. SCC reports 14 firewall findings.
Approach:
gcloud compute firewall-rules list and categorize by riskPitfalls: Deleting firewall rules without understanding traffic patterns causes outages. Always enable flow logs and analyze traffic before removing rules. Network tags can be added by anyone with compute.instances.setTags permission, making them less secure than service-account-based targeting for critical rules.
GCP VPC Firewall Audit Report
================================
Project: production-project
VPC Network: production-vpc
Audit Date: 2026-02-23
RULE INVENTORY:
Total firewall rules: 34
Ingress rules: 22
Egress rules: 12
Disabled rules: 3
CRITICAL FINDINGS:
[FW-001] SSH Open to Internet
Rule: default-allow-ssh
Source: 0.0.0.0/0 -> tcp:22
Target: All instances (no tags)
Priority: 65534
Remediation: Restrict to bastion subnet CIDR
[FW-002] No Egress Restrictions
Issue: Only implied allow-all-egress rule exists
Risk: No controls on outbound data exfiltration
Remediation: Add default-deny egress and explicit allow rules
REMEDIATION ACTIONS COMPLETED:
Rules deleted: 3 (overly permissive defaults)
Rules created: 8 (targeted allow rules)
Egress deny rule: Created at priority 65534
Flow logs enabled: 6 subnets
Prerequisites
Time Estimate
15-45 minutes depending on use case complexity
Steps
Common Pitfalls
✓ Do
✗ Don't
💡 Pro Tips
✓ Use when
Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.
✗ Avoid when
Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
mukul975/Anthropic-Cybersecurity-Skills
implementing-gcp-vpc-firewall-rules is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
implementing-gcp-vpc-firewall-rules fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.
Registry listing for implementing-gcp-vpc-firewall-rules matched our evaluation — installs cleanly and behaves as described in the markdown.
Keeps context tight: implementing-gcp-vpc-firewall-rules is the kind of skill you can hand to a new teammate without a long onboarding doc.
Useful defaults in implementing-gcp-vpc-firewall-rules — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.
I recommend implementing-gcp-vpc-firewall-rules for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.
implementing-gcp-vpc-firewall-rules reduced setup friction for our internal harness; good balance of opinion and flexibility.
Registry listing for implementing-gcp-vpc-firewall-rules matched our evaluation — installs cleanly and behaves as described in the markdown.
Solid pick for teams standardizing on skills: implementing-gcp-vpc-firewall-rules is focused, and the summary matches what you get after install.
implementing-gcp-vpc-firewall-rules is among the better-maintained entries we tried; worth keeping pinned for repeat workflows.
showing 1-10 of 29