Is GCP Firewall able to allow ingress traffic based on a specific domain name?
I've googled about it and I didn't find any result on this.
All I know is it can allow or deny based on IP address.
A network firewall typically acts at the packet level and since network packets don't carry information about the domain, the standard GCP VPC Firewall will not let you do that.
What you are looking for is an Application Firewall (or Layer 7 Firewall). Google Cloud has another service called Cloud Armor that has WAF (Web Application Firewall) capabilities. I think that by using Cloud Armor and load balancers you might be able to do what you want.
Related
What is the standard way to block an external IP from accessing my GCP cluster? Happy for the answer to include another Google service.
Because your cluster is deployed on Compute Engine instance, you can simply set a firewall rule to discard connection from a specific IP.
If you use an HTTP load balancer, you can add Cloud Armor policy to exclude some IPs.
In both case, keep in mind that IP filtering isn't very efficient. A VPN or Proxy can be easily and freely used on the internet and change the IP source of the requester.
Do we need ufw in gcp? or gcp's provided Firewall is good enough?
Depending on what you want to achieve you have a choice to use firewall at VM Instance level or GCP level.
Google Cloud Platform blocks some traffic for security reasons - such as GRE, SMTP (egress traffic to port 25) and some other less popular protocols. You can find more information on always blocked traffic in GCP.
Furthermore - by default if you create a VPC network ports 22 & 3389 are blocked. You have to allow traffic in/out when creating instance or create a proper firewall rule later. This is also done for security.
I have EC2 Instance with Windows Server, i'm using it only with RDP. Can I somehow block outbound traffic from browser to specific domain (eg. abc.example.com) or URL? I'd rather do it in the AWS Dashboard so that RDP users do not have access to whitelist this domain/URL.
How can I achieve this? Thanks!
There is not a native AWS solution for this, of course you could allow only specific IP addresses. The problem with this is for domains these may change, when you look at Cloud you can see that many services (such as load balancers and CDNs) will be changing their IP address.
The ideal solutions is that you would deploy a software (running on EC2) that is able to filter outbound traffic based on domain name. There are solutions on the AWS Marketplace, as well as filtering using a dumb proxy.
The network setup would involve you creating a number of subnets containing the EC2 instances. These would have a route table forwarding all traffic (0.0.0.0/0) to a NAT.
Then for all applications that need to have their outbound traffic filtered they would update their route table to route all traffic (0.0.0.0/0) to the ENI of one of the filtering hosts (ideally in the same AZ).
More information: https://aws.amazon.com/blogs/security/how-to-set-up-an-outbound-vpc-proxy-with-domain-whitelisting-and-content-filtering/
You can configure Access Control Lists (ACL) and Security Groups to filter outbound traffic. However, both of those tools only allow filtering based on IP address, not domain.
If you are confident that the IP addresses won't change, then you can configure these services. If you aren't interested in maintaining a blacklist, then you might need to check on some OS-level limits.
The simplest and easiest way is to implement an Aviatrix FQDN egress filter. It just serves the purpose from a centralized user interface to whitelist/blacklist the URLs in every VPC.
Next Generation Firewall (NGFW) implementation, just to achieve URL / FQDN filtering is an overkill, esp. from the cost point of view whereas proxy implementation has its complexity and doesn't provide centralized control, every VPC has to be managed separately.
The easiest way is to get an Aviatrix launch partner like SDxWORx, enable it with discounted PAYG pricing.
https://aws.amazon.com/marketplace/pp/prodview-laruhupdkcpuy/
I am trying to setup AWS Workspaces and all works fine. I also have a requirement to restrict certain websites like Google Drive, Dropbox, etc. on my AWS instance. How can I add these web access restrictions? Is it possible to configure and reply AWS firewall thru which these restrictions are applied?
Any help/suggestions will be highly appreciated.
There are multiple ways to achieve that.
You can use some endpoint protection that allow web filtering e.g. Sophos, Trend Micro, ...
You can use a firewall appliance that allows to control the web traffic.
https://aws.amazon.com/marketplace/search/results?x=0&y=0&searchTerms=firewall
You can use the new AWS Network Firewall to control the web traffic.
From: AWS Network Firewall Features
AWS Network Firewall supports inbound and outbound web filtering for unencrypted web traffic. For encrypted web traffic, Server Name Indication (SNI) is used for blocking access to specific sites. SNI is an extension to Transport Layer Security (TLS) that remains unencrypted in the traffic flow and indicates the destination hostname a client is attempting to access over HTTPS. In addition, AWS Network Firewall can filter fully qualified domain names (FQDN).
Is there anyway to allow Google Memorystore to be accessible to the outside world and just whitelist connections by IP Address?
I have some off google services that need access to the redis but it doesnt seem possible to hit Memorystore with an IP.
You can follow the solution proposed in this other thread. This way, you would be using that Compute Engine instance as a proxy and you would just need to configure some firewall rules to only allow specific IP addresses to access that VM.
To put it in a few steps:
Create your VM in the same VPC your Google Memorystore instance is using
Add firewall rules to deny all traffic (ingress and egress) and other higher priority rules allowing all traffic (again, ingress and egress) from your desired IP addresses targeting your VPC
Use port forwarding as explained in the mentioned thread