gcp-gce-fw-public-ssh¶
Ensure Google compute firewall ingress does not allow unrestricted ssh access
When configuring firewall rules to allow/deny traffic to your compute instances, it is recommended to limit access to administrative ports like SSH (on port 22) to trusted networks (using source_ranges).
Also noteworthy, the default VPC created in projects gets a default-allow-ssh firewall rule which means that any VM will have its port 22 exposed to the Internet. Is it recommended to simply delete this firewall rule, or better yet to create a custom VPC which will not get any of those insecure default rules. You can delete that default rule using the CLI (gcloud compute firewall-rules delete default-allow-ssh) or use Terraform to block this port.
resource "google_compute_firewall" "default" {
name = "block-ssh-and-rdp-in-default-vpc"
network = google_compute_network.default.name
allow {
protocol = "icmp"
}
deny {
protocol = "tcp"
ports = ["22", "3389"]
}
Examples¶
Insecure Example
resource "google_compute_firewall" "default" {
name = "allow-rdp-access-from-the-internet"
network = google_compute_network.default.name
allow {
protocol = "tcp"
ports = ["22"]
}
source_ranges = ["0.0.0.0/0"]
}
Secure Example
resource "google_compute_firewall" "default" {
name = "allow-rdp-access-from-trusted-networks"
network = google_compute_network.default.name
allow {
protocol = "tcp"
ports = ["22"]
}
source_ranges = ["18.10.10.0/24"] # Limit to your own trusted networks where you will connect from
}