正在加载…
未找到任何结果。

在 Google Cloud 控制台中运用您的技能

Secure VPC Networks with Cloud Next Generation Firewall

访问 700 多个实验和课程

Secure Cloud Workloads with Cloud NGFW

实验 1 小时 universal_currency_alt 5 个积分 show_chart 中级
info 此实验可能会提供 AI 工具来支持您学习。
访问 700 多个实验和课程

Overview

In one of the VPC networks of Cymbal Bank, connected VMs in the range 35.235.240.0/20 must be able to use TCP forwarding for SSH on port 22. However, some VMs on this network are bound by special requirements. These VMs can't send traffic to:

  • Specific countries (Poland and Italy).
  • Known search engine crawlers.
  • The website www.example.com.

You use Cloud NGFW Essentials and Cloud NGFW Standard to implement restrictions on ngfw-vm1.

Cloud NGFW Essentials provides the ability to create global network firewall policies and to create and apply tags to global network firewall policy rules.

Cloud NGFW Standard extends the Cloud NGFW Essentials to provide rule scoping based on fully qualified domain names (FQDN), geolocations, and Google Threat Intelligence based on Google Threat Intelligence data lists.

In this lab, you configure a global network firewall policy to satisfy these Cymbal Bank requirements. You test the firewall using two provided VMs: ngfw-vm1 and ngfw-vm2. If the firewall works correctly, you should observe that

  • ngfw-vm1 will be bound by the special requirements outlined above.
  • ngfw-vm2 is not bound by these requirements.

Objectives

In this lab, you learn how to perform the following tasks:

  • Enable the Network Security API.
  • Create and bind a project-level Tag to a VM instance (ngfw-vm1).
  • Create a global network firewall policy.
  • Create a global network firewall policy rule, not scoped with a Tag.
  • Create global network firewall policy rules, scoped with a Tag.
  • Perform connectivity tests on network traffic to verify that the firewall policy rules work correctly.

Lab setup

For each lab, you get a new Google Cloud project and set of resources for a fixed time at no cost.

  1. Click the Start Lab button. If you need to pay for the lab, a pop-up opens for you to select your payment method. On the left is the Lab Details panel with the following:

    • The Open Google Cloud console button
    • Time remaining
    • The temporary credentials that you must use for this lab
    • Other information, if needed, to step through this lab
  2. Click Open Google Cloud console (or right-click and select Open Link in Incognito Window if you are running the Chrome browser).

    The lab spins up resources, and then opens another tab that shows the Sign in page.

    Tip: Arrange the tabs in separate windows, side-by-side.

    Note: If you see the Choose an account dialog, click Use Another Account.
  3. If necessary, copy the Username below and paste it into the Sign in dialog.

    {{{user_0.username | "Username"}}}

    You can also find the Username in the Lab Details panel.

  4. Click Next.

  5. Copy the Password below and paste it into the Welcome dialog.

    {{{user_0.password | "Password"}}}

    You can also find the Password in the Lab Details panel.

  6. Click Next.

    Important: You must use the credentials the lab provides you. Do not use your Google Cloud account credentials. Note: Using your own Google Cloud account for this lab may incur extra charges.
  7. Click through the subsequent pages:

    • Accept the terms and conditions.
    • Do not add recovery options or two-factor authentication (because this is a temporary account).
    • Do not sign up for free trials.

After a few moments, the Google Cloud console opens in this tab.

Note: To view a menu with a list of Google Cloud products and services, click the Navigation menu at the top-left, or type the service or product name in the Search field.

Activate Google Cloud Shell

Google Cloud Shell is a virtual machine that is loaded with development tools. It offers a persistent 5GB home directory and runs on the Google Cloud.

Google Cloud Shell provides command-line access to your Google Cloud resources.

  1. In Cloud console, on the top right toolbar, click the Open Cloud Shell button.

  2. Click Continue.

It takes a few moments to provision and connect to the environment. When you are connected, you are already authenticated, and the project is set to your PROJECT_ID. For example:

gcloud is the command-line tool for Google Cloud. It comes pre-installed on Cloud Shell and supports tab-completion.

  • You can list the active account name with this command:
gcloud auth list

Output:

Credentialed accounts: - @.com (active)

Example output:

Credentialed accounts: - google1623327_student@qwiklabs.net
  • You can list the project ID with this command:
gcloud config list project

Output:

[core] project =

Example output:

[core] project = qwiklabs-gcp-44776a13dea667a6 Note: Full documentation of gcloud is available in the gcloud CLI overview guide .

After you complete the initial sign-in steps, the project dashboard opens.

Task 1. Enable the Network Security API

In this task, you configure some environment variables and enable the Network Security API.

  1. At the Cloud Shell prompt, enter the command below to set up some environment variables.
export REGION=$(gcloud compute project-info describe --format="value[](commonInstanceMetadata.items.google-compute-default-region)") export ZONE=$(gcloud compute project-info describe --format="value[](commonInstanceMetadata.items.google-compute-default-zone)") export PROJECT_ID=$(gcloud config get-value project) export VM1_ID=$(gcloud compute instances describe ngfw-vm1 --zone $ZONE --format='value(id)') prefix=gcc # update it from ["gcc", "ngfw", "cymbal"]

After the commands execute, you see output that looks similar to what is shown below. (The actual configuration name will differ.)

Output:

Your active configuration is: [cloudshell-3009]

Next, you enable the Network Security API. Enabling this API also enables the Cloud NGFW functionality in the Google Cloud console and at the gcloud command line.

  1. At the Cloud Shell prompt, enter this command to enable the Network Security API.
gcloud services enable networksecurity.googleapis.com

Click Check my progress to verify your task. Enable API

Task 2. Create and bind project-level Tags to a VM instance

Create the Tag key and value

In this task, you create a Tag named gcc-vpc-tag. This Tag enables you to associate a VM with the global network firewall policy. (In subsequent tasks, you associate this tag/value value pair with a VM and with a rule in a network firewall policy.)

You provide one value for this tag: gcc-vpc-client.

  1. In the Cloud console, in the Navigation menu (), select IAM & Admin > Tags.

  2. Click Create.

  3. For the Tag key, enter gcc-vpc-tag.

  4. For For use with network firewall, click the checkbox.

  5. For Project, select the project name associated with this lab exercise. (You can find the project name for this lab exercise on the browser page that you used to launch this lab, the page that shows your lab username and password.)

  6. For Network, select ngfw-vpc.

  7. Click Add Value.

  8. For Tag value 1 enter gcc-vpc-client.

  9. Click Create Tag Key.

Click Check my progress to verify your task. Create a project-level Tag

Associate the Tag to the VM instance

In this task, you associate the Tag and value that you created in the previous task to the ngfw-vm1 VM. In a subsequent task, you specify the same Tag and value in the rules of a global network firewall policy.

  1. In the Cloud console, on the Navigation menu (), select Compute Engine > VM instances.

  2. Click ngfw-vm1.

  3. Click Edit to edit its properties.

  4. Click Manage Tags.

  5. Click Select Scope.

  6. Click the name of your lab project. (There should only be one project name shown here.)

  7. For Key 1, select gcc-vpc-tag.

  8. For Value 1, select gcc-vpc-client.

  9. Click Save.

  10. Click Confirm.

  11. Click Save.

Click Check my progress to verify your task. Bind the tag to the VM instance

Task 3. Create a global network firewall policy

In this task, you create the global network firewall policy that contains the restrictions noted at the beginning of this lab exercise.

  1. In the Cloud console, on the Navigation menu (), select VPC Network > Firewall.

  2. Click Create Firewall Policy.

  3. For the Policy name, enter gcc-fw-policy.

  4. For the Description, enter Cloud NGFW Essentials.

  5. For the Deployment scope, select Global.

  6. Click Continue.

  7. Scroll down, and click Continue. (You will add firewall policy rules later.)

  8. Click Associate.

  9. Select the ngfw-vpc network.

  10. Click Associate.

  11. Click Create.

  12. Wait until you see an entry on the page for your new global firewall policy, gcc-fw-policy, before continuing to the next task.

Click Check my progress to verify your task. Create a global network firewall policy

Task 4. Create a global network firewall policy rule that is not scoped with a Tag.

In this task, you create a firewall policy rule in the gcc-fw-policy network firewall policy that allows TCP forwarding for SSH. You set the priority of this rule to 2000.

  1. If you don't see the Firewall Policies page, in the Navigation menu (), select VPC Network > Firewall.

  2. Under Network Firewall Policies, click the gcc-fw-policy. (You may need to scroll down to see Network Firewall Policies.)

  3. Click Create Firewall Rule.

  4. For Priority, enter 2000.

  5. For Description, enter allow ssh traffic from identity-aware-proxy ranges.

  6. For Direction of traffic, select Ingress.

  7. For Action on match, select Allow.

Next, you configure the source filter.

  1. Under Source filters, for the IP type, make sure IPv4 is selected.

  2. For the IP ranges, enter 35.235.240.0/20.

Next, you set the source protocol to TCP and the port to 22.

  1. Under Protocols and ports, select Specified ports and protocols.

  2. Select TCP.

  3. For Port, enter 22.

  4. Leave other settings at their default values, and click Create.

Click Check my progress to verify your task. Create an NGFW Essential Rule

Task 5. Create a global network firewall policy rule scoped with a Tag.

In this task, you create firewall policy rules in the gcc-fw-policy network firewall policy. First, you create a firewall policy rule to ensure that the ngfw-vm1 VM can't send traffic to sites in Italy or Poland. You use the tag/value pair that you created in a previous task to scope the network firewall policy rule to the ngfw-vm1 virtual machine. You set the priority of this rule to 4000.

  1. If you don't see the Firewall Policies page, in the Navigation menu (), select VPC Network > Firewall.

  2. Under Network Firewall Policies, click the gcc-fw-policy. (You may need to scroll down to see Network Firewall Policies.)

  3. Click Create Firewall Rule.

  4. For Priority, enter 4000.

  5. For Description, enter block egress traffic to Poland and Italy.

  6. For Direction of traffic, select Egress.

  7. For Action on match, select Deny.

  8. Under Logs, click On to enable logging.

  9. Under Target, click Secure tags.

  10. Click Select Scope.

  11. In the pop-up window, click your project ID.

  12. Click Key 1, and select gcc-vpc-tag.

  13. Click Value 1, and select gcc-vpc-client.

Next, you set the destination filters.

  1. For Geolocations, select Poland (PL) and Italy (IT).

  2. Leave other settings at their default values, and click Create.

Wait until the page shows that your new rule has been created before continuing to the next step. (You may have to scroll down to see your new rule.)

Next, you create a firewall policy rule to ensure that the ngfw-vm1 VM can't send traffic to known search engine crawlers. As before, you use the Tag that you created earlier to scope this rule to ngfw-vm1. You set the priority of this rule to 5000.

  1. Click Create Firewall Rule. (You may have to scroll up to see the link.)

  2. For Priority, enter 5000.

  3. For Description, enter block egress traffic to search engine crawlers.

  4. For Direction of traffic, select Egress.

  5. For Action on match, select Deny.

  6. Under Logs, click On to enable logging.

  7. Under Target, click Secure tags.

  8. Click Select Scope.

  9. In the pop-up window, click your project ID.

  10. Click Key 1, and select gcc-vpc-tag.

  11. Click Value 1, and select gcc-vpc-client.

Next, set the destination filters.

  1. Find the drop-down list labeled Google Cloud Threat Intelligence, and select Search engine crawlers.

  2. Click OK.

  3. Leave other settings at their default values, and click Create.

Next, you create a firewall policy rule to ensure that the ngfw-vm1 VM can't send traffic to the website www.example.com. You scope this rule to ngfw-vm1 using the Tag you created earlier.

  1. Click Create Firewall Rule. (You may have to scroll up to see the link.)

  2. For Priority, enter 6000.

  3. For Description, enter block egress traffic to specific FQDN www.example.com.

  4. For Direction of traffic, select Egress.

  5. For Action on match, select Deny.

  6. Under Logs, click On to enable logging.

  7. Under Target, click Secure tags.

  8. Click Select Scope.

  9. In the pop-up window, click your project ID.

  10. Click Key 1, and select gcc-vpc-tag.

  11. Click Value 1, and select gcc-vpc-client.

Next, you set the destination filters.

  1. For the FQDNs, enter www.example.com.

  2. Leave other settings at their default values, and click Create.

Test traffic with a tagged VM

Next, you SSH into the ngfw-vm1 VM instance and verify connectivity with the curl command. If a curl command fails, a message shows that the attempted connection is blocked.

  1. In the Navigation menu (), select Compute Engine > VM instances.

  2. For ngfw-vm1, click SSH, and select Open in browser window. A window appears with the command prompt for ngfw-vm1.

  3. In the window that appears for ngfw-vm1, enter this command at the ngfw-vm1 command prompt:

curl https://www.gov.pl -m 2 curl: (28) Connection timed out after 2000 milliseconds
  1. At the ngfw-vm1 command prompt, enter this command:
curl https://www.esteri.it/it/ -m 2

The timeout message shows that the connection was blocked.

curl: (28) Connection timed out after 2000 milliseconds
  1. At the ngfw-vm1 command prompt, enter this command:
curl https://www.example.com -m 2

The timeout message shows that the connection was blocked.

curl: (28) Connection timed out after 2000 milliseconds
  1. At the ngfw-vm1 command prompt, enter this command:
ping -c 2 66.249.66.1

The 100% packet loss shows that the connection was blocked.

PING 66.249.66.1 (66.249.66.1) 56(84) bytes of data. --- 66.249.66.1 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1011ms

Click Check my progress to verify your task. Test traffic with a tagged VM

Test traffic with a non-tagged VM

Next, you SSH into the ngfw-vm2 VM instance and perform the same connectivity tests as in the previous task. This time, all the requests should work.

  1. In the Navigation menu (), select Compute Engine > VM instances.

  2. For the ngfw-vm2, click SSH, and select Open in browser window. A window appears with the command prompt for ngfw-vm2.

  3. In the window that appears for ngfw-vm2, enter this command at the ngfw-vm2 command prompt:

curl https://www.gov.pl -m 2

This command should execute successfully, generating HTML-tagged lines of text in Polish from www.gov.pl.

  1. At the ngfw-vm2 command prompt, enter this command:
curl https://www.esteri.it/it/ -m 2

This command should execute successfully, generating HTML-tagged lines of text in Italian from www.esteri.it.

  1. At the ngfw-vm2 command prompt, enter this command:
curl https://www.example.com -m 2

This command should execute successfully, generating HTML-tagged lines of text in English from www.example.com.

  1. At the ngfw-vm2 command prompt, enter this command:
ping -c 2 66.249.66.1

The 0% packet loss shows that the connection was successful.

PING 66.249.66.1 (66.249.66.1) 56(84) bytes of data. 64 bytes from 66.249.66.1: icmp_seq=1 ttl=110 time=6.96 ms 64 bytes from 66.249.66.1: icmp_seq=2 ttl=110 time=6.22 ms --- 66.249.66.1 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 6.219/6.590/6.962/0.371 ms

Congratulations!

You have successfully deployed Cloud NGFW Standard rules to secure your compute workloads.

End your lab

When you have completed your lab, click End Lab. Google Cloud Skills Boost removes the resources you’ve used and cleans the account for you.

You will be given an opportunity to rate the lab experience. Select the applicable number of stars, type a comment, and then click Submit.

The number of stars indicates the following:

  • 1 star = Very dissatisfied
  • 2 stars = Dissatisfied
  • 3 stars = Neutral
  • 4 stars = Satisfied
  • 5 stars = Very satisfied

You can close the dialog box if you don't want to provide feedback.

For feedback, suggestions, or corrections, please use the Support tab.

Copyright 2022 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.

上一步 下一步

Unable to find that lab.

close

准备工作

  1. 实验会创建一个 Google Cloud 项目和一些资源,供您使用限定的一段时间
  2. 实验有时间限制,并且没有暂停功能。如果您中途结束实验,则必须重新开始。
  3. 在屏幕左上角,点击开始实验即可开始

此内容目前不可用

一旦可用,我们会通过电子邮件告知您

太好了!

一旦可用,我们会通过电子邮件告知您

一次一个实验

确认结束所有现有实验并开始此实验

使用无痕浏览模式运行实验

请使用无痕模式或无痕式浏览器窗口运行此实验。这可以避免您的个人账号与学生账号之间发生冲突,这种冲突可能导致您的个人账号产生额外费用。
预览