This is follow-on documentation from the GCP Quick Start page.
Follow these instructions if you wish to test firewall rules against a VM Instance you would like egress filtering applied on.
- Let's create an Instance in the Subnetwork the firewall was deployed to. To save ourselves from SSH'ing into the VM Instance, we will simply add tests to its Startup Script and later check the logs. Begin by proceeding to Compute Engine -> VM Instances and choose to Create one.
Having chosen your preferred Operating System (Boot Disk), under the Management tab, add commands to retrieve an allowed and a disallowed TLS destination. In our example, these are HTTPS URLs one of which is allowed in the example whitelist as on the GCP Quick Start page, and the other not mentioned in any way therefore disallowed. The example commands used here are:
Next, under the Networking tab, ensure that the chosen Network and Subnetwork are the one where the firewall instance(s) were deployed to, and that the VM Instance does not have an External IP. The VM Instance must access Internet through NAT offered by the firewall and not be exposed to the public interface directly.
- From the VM Instance Details view, follow the link to console logs where the standard error output will be present from the startup scripts. Just follow the Serial Port 1 (console) link.
- From the console logs, one can spot that our curl command to the unauthorized destination, i.e. hub.docker.com , threw an error!
- Let's now look at the flow logs. Browse to Logging -> Logs Viewer and paste the Log Filter for Data Flow from the Deployments page, which in the case of our example was logName="projects/<gcp project name>/logs/discriminat-flow" .
One can observe that the hostname registry.npmjs.org was allowed whereas hub.docker.com was not. Unfolding the log entry will reveal rich, structured metadata about the event. Give it a go!