Sample VPC and Subnets using CLI

Use the following commands as an example when executing your own commands to create VPCs for your GCP account. Open the Google Cloud Shell windows for these particular commands:

Procedure

Step 1

Create VPC apps and subnet apps-us-east1

Step 2

Create VPC multicloud defense-mgmt and subnet multicloud defense-mgmt-us-east1:

Step 3

Create at least two Firewall rules for VPC multicloud defense-mgmt with target-tags as multicloud defense-mgmt:

  1. Egress rule to allow all the outbound traffic:

  2. Ingress rule to allow SSH into the firewall instances:

Step 4

Create at least three Firewall rules for VPC apps. Use the following as examples:

  1. One egress rule to allow all the outbound traffic with target-tags as multicloud defense-datapath:
  2. One ingress rule to allow HTTP and HTTPS into the gateway instances through the non-load balancerwith target-tags as multicloud defense-datapath:
  3. Once egress rule to allow all the outbound traffic with target-tags as app-instance:
  4. One ingress rule to allow tcp:8000 with target-tags as app-instance:

gcloud config set project <project-name> # incase the project is not set in the gcloud cli shell
gcloud compute networks create apps --subnet-mode custom
gcloud compute networks subnets create apps-us-east1 --network apps --range 10.0.0.0/24 --region us-east1
gcloud compute networks create ciscomcd-mgmt --subnet-mode custom
gcloud compute networks subnets create ciscomcd-mgmt-us-east1 --network ciscomcd-mgmt --range 172.16.0.0/24 --region us-east1
gcloud compute firewall-rules create ciscomcd-mgmt-out --direction EGRESS --network ciscomcd-mgmt \
    --target-tags ciscomcd-mgmt --allow tcp,udp
gcloud compute firewall-rules create ciscomcd-mgmt-in --direction INGRESS --network ciscomcd-mgmt \
    --target-tags ciscomcd-mgmt --allow tcp:22
gcloud compute firewall-rules create ciscomcd-datapath-out --direction EGRESS --network apps \
    --target-tags ciscomcd-datapath --allow tcp,udp
gcloud compute firewall-rules create ciscomcd-datapath-in --direction INGRESS --network apps \
    --target-tags ciscomcd-datapath --allow tcp:80,tcp:443
gcloud compute firewall-rules create app-instance-out --direction EGRESS --network apps \
    --target-tags app-instance --allow tcp,udp
gcloud compute firewall-rules create app-instance-in --direction INGRESS --network apps \
    --target-tags app-instance --allow tcp:8000,tcp:22

Once you run the above commands, you can create a VM instance in the apps VPC and launch a test web application on port 8000.


gcloud compute instances create app-instance1 \
  --zone=us-east1-b \
  --image-project=ubuntu-os-cloud \
  --image-family=ubuntu-2004-lts \
  --network apps \
  --subnet=apps-us-east1 \
  --tags=app-instance
gcloud compute ssh app-instance1 --zone us-east1-b 
echo hello world > index.html
python3 -m http.server 8000