GCP Quick Start Testing

This is follow-on documentation from the GCP Quick Start page.

Follow these instructions if you wish to test firewall rules against a VM Instance you would like Egress filtering applied on.

Testing

  1. Let's create an Instance in the Subnetwork the firewall was deployed to. To save ourselves from SSH'ing into the VM Instance, we will simply add tests to its Startup Script and later check the logs. Begin by proceeding to Compute Engine -> VM Instances and choose to Create one.

    VM Instance Startup Script

    Having chosen your preferred Operating System (Boot Disk), under the Management tab, add commands to retrieve an allowed and a disallowed TLS destination. In our example, these are HTTPS URLs one of which is allowed in the example whitelist as on the GCP Quick Start page, and the other not mentioned in any way therefore disallowed. The example commands used here are:

    curl https://registry.npmjs.org/
    curl https://hub.docker.com/


    Next, under the Networking tab, ensure that the chosen Network and Subnetwork are the one where the firewall instance(s) were deployed to, and that the VM Instance does not have an External IP. The VM Instance must access Internet through NAT offered by the firewall and not be exposed to the public interface directly.

    VM Instance Networking
     
  2. From the VM Instance Details view, follow the link to console logs where the standard error output will be present from the startup scripts. Just follow the Serial Port 1 (console) link.

    VM Instance Details
     
  3. From the console logs, one can spot that our curl command to the unauthorized destination, i.e. hub.docker.com , threw an error!

    Console Log
     
  4. Let's now look at the flow logs. Browse to Logging -> Logs Viewer and choose Convert to advanced filter. Paste the Log Filter for Data Flow from the Deployments page, which in the case of our example was logName="projects/<project name>/logs/secure-egress-gateway-flow" .

    Logs Viewer

    One can observe that the hostname registry.npmjs.org was allowed whereas hub.docker.com was not. Unfolding the log entry will reveal rich, structured metadata about the event. Give it a go!