Google Cloud Platform (GCP) firewall rules let you allow or deny traffic to and from your virtual machine (VM) instances based on a configuration you specify.
By creating a firewall rule, you specify a Virtual Private Cloud (VPC) network and a set of components that define what the rule does. For more information refer to GCP Firewall Rules.
Firewall rules need to be configured to allow ingress and egress traffic for the Controller, SE, and the application servers.
By default, egress is allowed in GCP for all protocols and ports but if egress is denied by some firewall rules, then the specific destination protocol and port have to be allowed.
Skip the egress rule configuration if egress traffic is allowed.
Configuring firewall rules allow the following communication:
The Controller - Service Engines
Network services used by the Controller
Service Engine - Service Engine
Virtual service traffic on Service Engines
Service Engine - Application servers
Create the following firewall rules using the steps below:
Make a note of the Target tags that will be created below since the target tags will be applied on the Controller and Service Engine virtual machines.
For the list of protocols and ports required for ingress and egress management traffic, refer Ports used for Management Communication.
Controller Firewall Rules
To configure a firewall rule to allow ingress traffic for the NSX Advanced Load Balancer Controller, refer to Configuring Controller Ingress Rules.
To configure firewall rules to allow outgoing traffic from a Controller, refer to Configuring Controller Egress Rules.
To allow ingress for data traffic, refer to Configuring Service Engine Ingress Rules for Virtual Service Ports.
To allow egress for data traffic, refer to Configuring Service Engine Egress Rules for Backend Server Ports.