Google Cloud Platform (GCP) firewall rules let you allow or deny traffic to and from your virtual machine (VM) instances based on a configuration you specify.

By creating a firewall rule, you specify a Virtual Private Cloud (VPC) network and a set of components that define what the rule does. For more information, see GCP Firewall Rules.

Firewall rules need to be configured to allow ingress and egress traffic for the Controller, SE, and the application servers.


By default, egress is allowed in GCP for all protocols and ports but if egress is denied by some firewall rules, then the specific destination protocol and port have to be allowed.

Skip the egress rule configuration if egress traffic is allowed.

Configuring firewall rules allow the following communication:

  1. Management Traffic

    1. The Controller - Service Engines

    2. Network services used by the Controller

    3. Service Engine - Service Engine

  2. Data Traffic

    1. Virtual service traffic on Service Engines

    2. Service Engine - Application servers

Create the following firewall rules using the steps below:


Make a note of the Target tags that will be created below since the target tags will be applied on the Controller and Service Engine virtual machines.

Management Traffic

For the list of protocols and ports required for ingress and egress management traffic, see Ports used for Management Communication.

Controller Firewall Rules

To configure a firewall rule to allow ingress traffic for the NSX Advanced Load Balancer Controller, refer to Configuring Controller Ingress Rules.

To configure firewall rules to allow outgoing traffic from a Controller, refer to Configuring Controller Egress Rules.

Data Traffic

To allow ingress for data traffic, refer to Configuring Service Engine Ingress Rules for Virtual Service Ports.

To allow egress for data traffic, refer to Configuring Service Engine Egress Rules for Backend Server Ports.