
准备工作
- 实验会创建一个 Google Cloud 项目和一些资源,供您使用限定的一段时间
- 实验有时间限制,并且没有暂停功能。如果您中途结束实验,则必须重新开始。
- 在屏幕左上角,点击开始实验即可开始
Enable API
/ 10
Create a project-level Tag
/ 10
Bind Tag to the VM instance
/ 20
Create a global network firewall policy
/ 20
Create NGFW Essential Rule
/ 20
Test traffic with tagged VM
/ 20
In one of the VPC networks of Cymbal Bank, connected VMs in the range 35.235.240.0/20 must be able to use TCP forwarding for SSH on port 22. However, some VMs on this network are bound by special requirements. These VMs can't send traffic to:
You use Cloud NGFW Essentials and Cloud NGFW Standard to implement restrictions on ngfw-vm1
.
Cloud NGFW Essentials provides the ability to create global network firewall policies and to create and apply tags to global network firewall policy rules.
Cloud NGFW Standard extends the Cloud NGFW Essentials to provide rule scoping based on fully qualified domain names (FQDN), geolocations, and Google Threat Intelligence based on Google Threat Intelligence data lists.
In this lab, you configure a global network firewall policy to satisfy these Cymbal Bank requirements. You test the firewall using two provided VMs: ngfw-vm1
and ngfw-vm2
. If the firewall works correctly, you should observe that
ngfw-vm1
will be bound by the special requirements outlined above.ngfw-vm2
is not bound by these requirements.In this lab, you learn how to perform the following tasks:
ngfw-vm1
).For each lab, you get a new Google Cloud project and set of resources for a fixed time at no cost.
Click the Start Lab button. If you need to pay for the lab, a pop-up opens for you to select your payment method. On the left is the Lab Details panel with the following:
Click Open Google Cloud console (or right-click and select Open Link in Incognito Window if you are running the Chrome browser).
The lab spins up resources, and then opens another tab that shows the Sign in page.
Tip: Arrange the tabs in separate windows, side-by-side.
If necessary, copy the Username below and paste it into the Sign in dialog.
You can also find the Username in the Lab Details panel.
Click Next.
Copy the Password below and paste it into the Welcome dialog.
You can also find the Password in the Lab Details panel.
Click Next.
Click through the subsequent pages:
After a few moments, the Google Cloud console opens in this tab.
Google Cloud Shell is a virtual machine that is loaded with development tools. It offers a persistent 5GB home directory and runs on the Google Cloud.
Google Cloud Shell provides command-line access to your Google Cloud resources.
In Cloud console, on the top right toolbar, click the Open Cloud Shell button.
Click Continue.
It takes a few moments to provision and connect to the environment. When you are connected, you are already authenticated, and the project is set to your PROJECT_ID. For example:
gcloud is the command-line tool for Google Cloud. It comes pre-installed on Cloud Shell and supports tab-completion.
Output:
Example output:
Output:
Example output:
After you complete the initial sign-in steps, the project dashboard opens.
In this task, you configure some environment variables and enable the Network Security API.
After the commands execute, you see output that looks similar to what is shown below. (The actual configuration name will differ.)
Output:
Next, you enable the Network Security API. Enabling this API also enables the Cloud NGFW functionality in the Google Cloud console and at the gcloud command line.
Click Check my progress to verify your task.
In this task, you create a Tag named gcc-vpc-tag. This Tag enables you to associate a VM with the global network firewall policy. (In subsequent tasks, you associate this tag/value value pair with a VM and with a rule in a network firewall policy.)
You provide one value for this tag: gcc-vpc-client.
In the Cloud console, in the Navigation menu (), select IAM & Admin > Tags.
Click Create.
For the Tag key, enter gcc-vpc-tag.
For For use with network firewall, click the checkbox.
For Project, select the project name associated with this lab exercise. (You can find the project name for this lab exercise on the browser page that you used to launch this lab, the page that shows your lab username and password.)
For Network, select ngfw-vpc.
Click Add Value.
For Tag value 1 enter gcc-vpc-client.
Click Create Tag Key.
Click Check my progress to verify your task.
In this task, you associate the Tag and value that you created in the previous task to the ngfw-vm1
VM. In a subsequent task, you specify the same Tag and value in the rules of a global network firewall policy.
In the Cloud console, on the Navigation menu (), select Compute Engine > VM instances.
Click ngfw-vm1.
Click Edit to edit its properties.
Click Manage Tags.
Click Select Scope.
Click the name of your lab project. (There should only be one project name shown here.)
For Key 1, select gcc-vpc-tag.
For Value 1, select gcc-vpc-client.
Click Save.
Click Confirm.
Click Save.
Click Check my progress to verify your task.
In this task, you create the global network firewall policy that contains the restrictions noted at the beginning of this lab exercise.
In the Cloud console, on the Navigation menu (), select VPC Network > Firewall.
Click Create Firewall Policy.
For the Policy name, enter gcc-fw-policy.
For the Description, enter Cloud NGFW Essentials.
For the Deployment scope, select Global.
Click Continue.
Scroll down, and click Continue. (You will add firewall policy rules later.)
Click Associate.
Select the ngfw-vpc network.
Click Associate.
Click Create.
Wait until you see an entry on the page for your new global firewall policy, gcc-fw-policy
, before continuing to the next task.
Click Check my progress to verify your task.
In this task, you create a firewall policy rule in the gcc-fw-policy
network firewall policy that allows TCP forwarding for SSH. You set the priority of this rule to 2000.
If you don't see the Firewall Policies page, in the Navigation menu (), select VPC Network > Firewall.
Under Network Firewall Policies, click the gcc-fw-policy. (You may need to scroll down to see Network Firewall Policies.)
Click Create Firewall Rule.
For Priority, enter 2000.
For Description, enter allow ssh traffic from identity-aware-proxy ranges.
For Direction of traffic, select Ingress.
For Action on match, select Allow.
Next, you configure the source filter.
Under Source filters, for the IP type, make sure IPv4 is selected.
For the IP ranges, enter 35.235.240.0/20.
Next, you set the source protocol to TCP and the port to 22.
Under Protocols and ports, select Specified ports and protocols.
Select TCP.
For Port, enter 22.
Leave other settings at their default values, and click Create.
Click Check my progress to verify your task.
In this task, you create firewall policy rules in the gcc-fw-policy
network firewall policy. First, you create a firewall policy rule to ensure that the ngfw-vm1
VM can't send traffic to sites in Italy or Poland. You use the tag/value pair that you created in a previous task to scope the network firewall policy rule to the ngfw-vm1
virtual machine. You set the priority of this rule to 4000.
If you don't see the Firewall Policies page, in the Navigation menu (), select VPC Network > Firewall.
Under Network Firewall Policies, click the gcc-fw-policy. (You may need to scroll down to see Network Firewall Policies.)
Click Create Firewall Rule.
For Priority, enter 4000.
For Description, enter block egress traffic to Poland and Italy.
For Direction of traffic, select Egress.
For Action on match, select Deny.
Under Logs, click On to enable logging.
Under Target, click Secure tags.
Click Select Scope.
In the pop-up window, click your project ID.
Click Key 1, and select gcc-vpc-tag.
Click Value 1, and select gcc-vpc-client.
Next, you set the destination filters.
For Geolocations, select Poland (PL) and Italy (IT).
Leave other settings at their default values, and click Create.
Wait until the page shows that your new rule has been created before continuing to the next step. (You may have to scroll down to see your new rule.)
Next, you create a firewall policy rule to ensure that the ngfw-vm1
VM can't send traffic to known search engine crawlers. As before, you use the Tag that you created earlier to scope this rule to ngfw-vm1
. You set the priority of this rule to 5000.
Click Create Firewall Rule. (You may have to scroll up to see the link.)
For Priority, enter 5000.
For Description, enter block egress traffic to search engine crawlers.
For Direction of traffic, select Egress.
For Action on match, select Deny.
Under Logs, click On to enable logging.
Under Target, click Secure tags.
Click Select Scope.
In the pop-up window, click your project ID.
Click Key 1, and select gcc-vpc-tag.
Click Value 1, and select gcc-vpc-client.
Next, set the destination filters.
Find the drop-down list labeled Google Cloud Threat Intelligence, and select Search engine crawlers.
Click OK.
Leave other settings at their default values, and click Create.
Next, you create a firewall policy rule to ensure that the ngfw-vm1
VM can't send traffic to the website www.example.com. You scope this rule to ngfw-vm1
using the Tag you created earlier.
Click Create Firewall Rule. (You may have to scroll up to see the link.)
For Priority, enter 6000.
For Description, enter block egress traffic to specific FQDN www.example.com.
For Direction of traffic, select Egress.
For Action on match, select Deny.
Under Logs, click On to enable logging.
Under Target, click Secure tags.
Click Select Scope.
In the pop-up window, click your project ID.
Click Key 1, and select gcc-vpc-tag.
Click Value 1, and select gcc-vpc-client.
Next, you set the destination filters.
For the FQDNs, enter www.example.com.
Leave other settings at their default values, and click Create.
Next, you SSH into the ngfw-vm1
VM instance and verify connectivity with the curl
command. If a curl
command fails, a message shows that the attempted connection is blocked.
In the Navigation menu (), select Compute Engine > VM instances.
For ngfw-vm1, click SSH, and select Open in browser window. A window appears with the command prompt for ngfw-vm1
.
In the window that appears for ngfw-vm1
, enter this command at the ngfw-vm1
command prompt:
ngfw-vm1
command prompt, enter this command:The timeout message shows that the connection was blocked.
ngfw-vm1
command prompt, enter this command:The timeout message shows that the connection was blocked.
ngfw-vm1
command prompt, enter this command:The 100% packet loss shows that the connection was blocked.
Click Check my progress to verify your task.
Next, you SSH into the ngfw-vm2
VM instance and perform the same connectivity tests as in the previous task. This time, all the requests should work.
In the Navigation menu (), select Compute Engine > VM instances.
For the ngfw-vm2, click SSH, and select Open in browser window. A window appears with the command prompt for ngfw-vm2
.
In the window that appears for ngfw-vm2
, enter this command at the ngfw-vm2
command prompt:
This command should execute successfully, generating HTML-tagged lines of text in Polish from www.gov.pl.
ngfw-vm2
command prompt, enter this command:This command should execute successfully, generating HTML-tagged lines of text in Italian from www.esteri.it.
ngfw-vm2
command prompt, enter this command:This command should execute successfully, generating HTML-tagged lines of text in English from www.example.com.
ngfw-vm2
command prompt, enter this command:The 0% packet loss shows that the connection was successful.
You have successfully deployed Cloud NGFW Standard rules to secure your compute workloads.
When you have completed your lab, click End Lab. Google Cloud Skills Boost removes the resources you’ve used and cleans the account for you.
You will be given an opportunity to rate the lab experience. Select the applicable number of stars, type a comment, and then click Submit.
The number of stars indicates the following:
You can close the dialog box if you don't want to provide feedback.
For feedback, suggestions, or corrections, please use the Support tab.
Copyright 2022 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.
此内容目前不可用
一旦可用,我们会通过电子邮件告知您
太好了!
一旦可用,我们会通过电子邮件告知您
一次一个实验
确认结束所有现有实验并开始此实验