Skip to content

gcp-gce-fw-public-rdp

Ensure Google compute firewall ingress does not allow unrestricted rdp access

When configuring firewall rules to allow/deny traffic to your compute instances, it is recommended to limit access to administrative ports like RDP (Microsoft Remote Desktop on port 3389) to trusted networks (using source_ranges).

Also noteworthy, the default VPC created in projects gets a default-allow-rdp firewall rule which means that any VM will have its port 3389 exposed to the Internet. Is it recommended to simply delete this firewall rule, or better yet to create a custom VPC which will not get any of those insecure default rules. You can delete that default rule using the CLI (gcloud compute firewall-rules delete default-allow-rdp) or use Terraform to block this port.

resource "google_compute_firewall" "default" {
  name    = "block-ssh-and-rdp-in-default-vpc"
  network = google_compute_network.default.name

  allow {
    protocol = "icmp"
  }

  deny {
    protocol = "tcp"
    ports    = ["22", "3389"]
  }

Examples

Insecure Example

resource "google_compute_firewall" "default" {
  name    = "allow-rdp-access-from-the-internet"
  network = google_compute_network.default.name

  allow {
    protocol = "tcp"
    ports    = ["3389"]
  }

  source_ranges = ["0.0.0.0/0"]
}

Secure Example

resource "google_compute_firewall" "default" {
  name    = "allow-rdp-access-from-trusted-networks"
  network = google_compute_network.default.name

  allow {
    protocol = "tcp"
    ports    = ["3389"]
  }

  source_ranges = ["18.10.10.0/24"]  # Limit to your own trusted networks where you will connect from
}

More information