1. Answers
  2. Restricting Inbound Traffic To A GCP Compute Engine VM

Restricting Inbound Traffic to a GCP Compute Engine VM

Introduction

In this guide, we will create a Pulumi program to restrict inbound traffic to a Google Cloud Platform (GCP) Compute Engine Virtual Machine (VM). We will use Pulumi’s TypeScript SDK to define and deploy the necessary resources. The key services involved include Google Cloud’s Compute Engine and Firewall rules.

Step-by-Step Explanation

Step 1: Set Up Pulumi and GCP Provider

  1. Ensure you have Pulumi installed. If not, you can install it from Pulumi’s installation guide.
  2. Set up your Pulumi project by running pulumi new typescript in your desired directory.
  3. Configure the GCP provider with your credentials by running pulumi config set gcp:project YOUR_PROJECT_ID and pulumi config set gcp:region YOUR_REGION.

Step 2: Create a Compute Engine VM

  1. In your index.ts file, import the necessary Pulumi and GCP libraries:
    import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
  2. Define the VM instance:
    const vm = new gcp.compute.Instance("my-vm", {
    machineType: "f1-micro",
    zone: "us-central1-a",
    bootDisk: {
        initializeParams: {
            image: "debian-cloud/debian-9",
        },
    },
    networkInterfaces: [{
        network: "default",
        accessConfigs: [{}], // Include this line to assign a public IP
    }],
});

Step 3: Restrict Inbound Traffic with Firewall Rules

  1. Define a firewall rule to restrict inbound traffic:
    const firewall = new gcp.compute.Firewall("my-firewall", {
    network: "default",
    allows: [{
        protocol: "tcp",
        ports: ["22"], // Allow SSH traffic only
    }],
    sourceRanges: ["0.0.0.0/0"], // Allow traffic from any IP
    targetTags: ["my-vm"],
});
  2. Apply the firewall rule to the VM by adding a tag to the VM instance:
    const vmWithTag = new gcp.compute.Instance("my-vm-with-tag", {
    ...vm,
    tags: ["my-vm"],
});

Step 4: Deploy the Pulumi Program

  1. Run pulumi up to preview and deploy the changes.
  2. Confirm the deployment to create the VM and apply the firewall rules.

Summary

In this guide, we created a Pulumi program to restrict inbound traffic to a GCP Compute Engine VM. We set up a VM instance, defined a firewall rule to allow only SSH traffic, and applied the firewall rule to the VM. This ensures that the VM is protected from unwanted inbound traffic while allowing necessary access.

By following these steps, you can easily manage and secure your GCP resources using Pulumi’s infrastructure as code approach.

Full Code Example

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

// Create a Compute Engine VM instance
const vm = new gcp.compute.Instance("my-vm", {
    machineType: "f1-micro",
    zone: "us-central1-a",
    bootDisk: {
        initializeParams: {
            image: "debian-cloud/debian-9",
        },
    },
    networkInterfaces: [{
        network: "default",
        accessConfigs: [{}], // Include this line to assign a public IP
    }],
    tags: ["my-vm"],
});

// Define a firewall rule to restrict inbound traffic
const firewall = new gcp.compute.Firewall("my-firewall", {
    network: "default",
    allows: [{
        protocol: "tcp",
        ports: ["22"], // Allow SSH traffic only
    }],
    sourceRanges: ["0.0.0.0/0"], // Allow traffic from any IP
    targetTags: ["my-vm"],
});

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up