0

I noticed I have the read only port 10255 opened to the wide web. We want to make it available only from inside the VPC, like this answer is suggesting. I'm not sure how to specify such rule. I've tried something like that:

gcloud compute firewall-rules create "testcloseport" --action=DENY --rules tcp:10255  --source-tags=public --source-ranges=0.0.0.0/0 --description="Close port 10255 from outside the vpc"

I unfortunately got this error:

ERROR: (gcloud.compute.firewall-rules.create) Could not fetch resource:
 - The resource 'projects/myproject-prod/global/networks/default' was not found

I tried to set the region and zone like this:

gcloud config set compute/region us-east1
gcloud config set compute/zone us-east1-d

I still got the error. I simply want to close this port for the outside of the VPC. Is there a way I can change the firewall-rules create command so it works?

Guillaume Racicot
  • 39,621
  • 9
  • 77
  • 141
  • The answer, in which you're basing your question, implies that you already have or create a VPC network, did you already create one? Quoting **“If you are using VPC you can add firewall rules to port (10255) to allow incoming traffic only from the resources on VPC.”** – Ismael Clemente Aguirre Jan 25 '22 at 16:25

1 Answers1

0

The reason you are getting this error:

The resource 'projects/myproject-prod/global/networks/default' was not found

is because the gcloud command you are attempting to run defaults to the VPC named "default" which is the one that comes by default.

In order to create the firewall rule to a custom network (VPC) you have to pass the parameter --network for example (replace the <MY_VPC_NAME>):

gcloud compute firewall-rules create testcloseport --network <MY_VPC_NAME> --action=DENY --rules tcp:10255  --source-tags=public --source-ranges=0.0.0.0/0 --description="Close port 10255 from outside the vpc"

One more thing, with the rule above you will deny any IP source on port 10255 so you might need a second rule with a higher priority allowing port 10255 only to the private subnet you would like to allow that connection through.

CaioT
  • 1,973
  • 1
  • 11
  • 20