Compute engine firewall rule precedence

[Akshat Jiwan Sharma]

Hello everyone,

Can you please help me understand the order in which firewall rules are applied to a compute engine instance. These are the three rules I have

- rule 1 - applies to all machines with specific tag and opens port 80 to public

- rule 2 - applies to all machines with a specific tag and opens port 443 to the public

- rule 3 - applies to a machine instance id and opens port 80 to the public. 

Assume that I have a machine that satisfies the requirements for all the three rules. In that case which rule would take effect. 

My excepted behavior was that I should have port 80 and 443 open to the public. But it seems to me that rule 3 has overridden rules 1 and 2 and I only have port 80 exposed. Clients are unable to connect to port 443. Is this the way its supposed to work? What can I do to make ports 80 and 443 available. The challenge is that I can't modify rule 3  that is the one that is applied to instance id. 

Thanks,

Akshat

[Dinesh (Google Platform Support)]

Hello Akshat,

You can decide rule precedence by assigning a priority to each rule. You can read about assigning priority for your rules in firewall rule in GCP and Priority order for firewall rules.

Moreover, you might want to understand the different use cases related to service account and tags.

[onway]

Hello,

Can you connect GCE's VPS through third party client?i can not and any connection from outside GCE can not connect to VPS.

--
© 2017 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 
Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-discussion@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.
---
You received this message because you are subscribed to the Google Groups "gce-discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gce-discussion+unsubscribe@googlegroups.com.
To post to this group, send email to gce-discussion@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/58ce82f7-ce0d-4518-902f-91741ac131c1%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Akshat Jiwan Sharma]

Thanks a lot Dinesh!

[Dinesh (Google Platform Support)]

Yes, it is possible to connect to GCE instances using third party tools. Specifically, you must create and manage SSH keys yourself when using a third party tool, which is generally managed by GCE.

In the future, I recommend creating a separate thread if your question is not related to the ongoing discussion.