Configuring Firewall Rules for Health Check Access to VMs

Introduction

When setting up an infrastructure in the Google Cloud, I often had to deal with a very common problem. My VMs were always not marked as healthy because my health checks failed. At first I didn't realize why this was happening, but later I found out that my firewall rules were blocking the health checks created in Google Cloud.

The solution to this problem is very simple and I will show you how it works. I am relying on this official Google article, which I always use as a template when creating my projects in GCP.

Prerequisites

To follow this example, you need to register with Google Cloud and create a project. If this is not the case, please follow this link and create a new account.

You also need to install the gcloud SDK to execute the commands. These CLI tools are very handy and easy to use and you can organize your infrastructure faster than with the Cloud Console. Check out the following article if you still need to do this step.

Step 1: Create a Firewall Rule

When creating Health Checks in Google Cloud, they all use an IP range to access your application. This IP range is generally known and is also officially published by Google itself.

130.211.0.0/22
35.191.0.0/16

So when we create a new Firewall Rule, we need to allow access from these source IPs. Execute the following command to accomplish this task.

gcloud compute firewall-rules create allow-healthcheck \
  --source-ranges 130.211.0.0/22,35.191.0.0/16 \
  --target-tags health \
  --allow tcp:80

This command creates a new Firewall Rule with the name allow-healthcheck.

  • --source-ranges allows incoming traffic from these IPs
  • --target-tags will map the rule to VMs having the health Network Tag
  • --allow tcp:80 will only allow access to target VMs accessing the Port 80

Check whether your Firewall Rule has been successfully created by executing the following command.

gcloud compute firewall-rules list

You should now see a list containing at least one rule.

Step 2: Assign a Network Tag to your VMs

When creating Firewall Rules, you can choose between three options for how they should be applied to your VMs.

1. All instances in the network
2. Specified target tags
3. Specified service accounts

In our example, we will opt for the second option and only allow the VMs to be addressed by the Health Checks to which the health Network Tag has been assigned.

To achieve this, you can pass this tag when creating your VMs with the gcloud SDK. With the option --tags=health, the network tag is passed on to your VMs.

gcloud compute instances create app \
  ... \
  --tags=health

You can also add a network tag to VMs that have already been created. To do this, you can use the following command.

gcloud compute instances add-tags INSTANCE_NAME --zone ZONE --tags TAG1,TAG2,...

When editing instances, you must always specify the --zone option, otherwise gcloud will not be able to find the instance you are trying to edit. In our example, a command could look like this.

gcloud compute instances add-tags app --zone us-central1-a --tags health

Conclusion

You've just seen how easy it is to deal with Firewall Rules in your GCP project. And if you follow this example, you will never have unhealthy instances again.