Network Tags Configuration

GCP firewall rules protect your virtual machine (VM) instances from unapproved connections. In GCP, every VPC network also functions as a distributed firewall. While firewall rules are applied to the network as a whole, connections are allowed or denied at the instance level. Tags are used by networks to identify which VM instances are subject to certain firewall rules and network routes. Velostrata network tags are applied in the Firewall rule. Additional edge network tags may be assigned when creating a Cloud Extension, and additional workload network tags may be assigned at the VM-level when executing the Run In Cloud or Test Clone operations.

All Velostrata Cloud Edge Components are deployed using a dedicated network tag (fw-velostrata). For simplicity, we describe deployment in which all workload VMs are deployed using the same workload network tag (fw-workload). However, in general you may set up multiple workload network tags to create boundaries between different applications and services.

The dedicated network tag (fw-velostrata) allows inbound access for Velostrata Secure Datapath connections (SSL TCP/9111) and management connections (HTTPS) initiated by the Velostrata Virtual Appliance on-premises. These connections come through the VPN. It also allows inbound access for iSCSI (TCP/3260) and optionally Syslog for boot logging (UDP/514) from the workload Virtual Machines using the workload network tag (fw-workload). Velostrata components with the same network tags can communicate between themselves.

Outbound access to the internet from cloud edge components tagged with the fw-velostrata network tags is required for connections to the GCP storage service (HTTPS) and the Velostrata Telemetry Service (HTTPS).

Note: No outbound access to the corporate network or to workloads tagged with fw-workloads is required, thus can be blocked at the corresponding VPN and FW policies for better security control.

Note:The firewall rules and tags below are the minimum required. Additional rules may be required to allow access by clients or other Virtual Machines from corporate or from other VPCs in GCP.

 

Name
Type
Targets
Filters
Protocols/ports
Action
Priority
velostrata-poc-firewall-all-icmp
Ingress
fw-workload,
fw-velostrata,
fw-vpn
fw-workload
icmp
Allow
1000
velostrata-poc-firewall-fe-iscsi
Ingress
fw-velostrata
fw-workload
tcp:3260
Allow
1000
velostrata-poc-firewall-fe-syslog
Ingress
fw-velostrata
fw-workload
udp:514
Allow
1000
velostrata-poc-firewall-vpn-fe-velos
Ingress
fw-velostrata
fw-vpn
tcp:9111,443
Allow
1000
velostrata-poc-firewall-vpn-open-vpn
Ingress
fw-vpn
IP ranges: CustomerPublicIP/32
udp:1194
Allow
1000
velostrata-poc-firewall-vpn-ssh
Ingress
fw-vpn
IP ranges: CustomerPublicIP/32
tcp:22
Allow
1000
velostrata-poc-firewall-vpn-workload-inbound
Ingress
fw-vpn
fw-workload
tcp, udp, icmp
Allow
1000
velostrata-poc-firewall-fe-velos
Ingress fw-velostrata fw-velostrata tcp, udp, icmp
Allow 1000
velostrata-poc-firewall-workload
Ingress
fw-workload
fw-workload,
fw-velostrata, fw-vpn
tcp, udp, icmp
Allow
1000