This Google Cloud Platform security best practice is part of the Network & Infrastructure Security security domain.
The capability shall configure its IT systems to:
- monitor and control communications at the external boundary and at key internal boundaries within the system;
- have limited number of access points to allow for more comprehensive monitoring of inbound and outbound communications and network traffic; and
- connect to external networks or IT systems only through managed interfaces consisting of boundary protection devices
The capability shall implement a dedicated and isolated computing environment for sensitive systems. For shared networks, especially those extending across Client’s boundaries, the capability of users to connect to the network shall be restricted, in line with the Client’s access control policy and requirements of the business applications.
Customer should apply the right firewall rules to the right VMs in an environment is a way to provide least privilege access (network access).
One cannot mix and match service accounts and network tags in any firewall rule definition. This restriction impacts ingress firewall rules in the following way: If you use a service account for the source filter or the target, then neither the target nor the source filter can be a network tag.
GCP uses a connection tracking table to support stateful firewall filtering. The maximum number of connections in the table depends on the instance type:
Firewall rules are applied to your VPC network on which your GCE instances reside. Firewall rules apply to both inbound (ingress) and outbound (egress) traffic. They can also be applied between instances in your network. Firewall rules can be set to allow or deny traffic based on protocol, ports, and IP addresses. Firewall rules have the following settings:
- One should keep your firewall rules in line with the model of least privilege. To allow traffic through, the user needs to create firewall rules to explicitly allow traffic necessary for your applications to communicate.
- Assign the Compute Security Admin role to your security or networking team so that they can configure and modify the firewall rules on your network.