A company is migrating its infrastructure to GCP and needs strict security controls for its Compute Engine instances. Their challenges include:
All resources in this lab will be deployed in the us-east1 region.
In this lab, you will complete the following exercises:
Note: Ensure that you have a Google Cloud account with an active subscription (Google Cloud Console) or sign up for Google Cloud Free Tier.
Click Create Instance and configure the following:
Setting | Value |
---|---|
Instance Name | secure-vm |
Region | us-east1 |
Zone | us-east1-b |
Machine Type | n2-standard-2 (2 vCPUs, 8 GB RAM) |
Boot Disk | Ubuntu Server 22.04 LTS |
Networking | Create a new VPC and subnet |
External IP | Ephemeral |
Firewall | Select “Allow HTTPS and SSH” |
Alternatively, you can use gcloud CLI to create the VM. Open Cloud Shell or your local terminal and run:
gcloud compute instances create secure-vm \
--zone=us-east1-b \
--machine-type=n2-standard-2 \
--image-family=ubuntu-2204-lts \
--image-project=ubuntu-os-cloud \
--tags=webserver
Verify the instance status with:
gcloud compute instances list
Firewall rules in GCP control inbound and outbound traffic at the network level.
Click Create Firewall Rule and define the following:
Setting | Value |
---|---|
Name | secure-vm-fw |
Network | Select your VPC |
Priority | 1000 |
Direction | Ingress |
Target Tags | webserver |
Source Range | 0.0.0.0/0 |
Allowed Protocols | TCP: 22, 80, 443 |
Result: Firewall rules ensure controlled access to the Compute Engine instance.
Instance Groups allow dynamic security management for similar workloads in GCP.
Click Create Instance Group and define:
Setting | Value |
---|---|
Name | WebServerGroup |
Region | us-east1 |
Instance Template | Create new or use existing |
Autoscaling | Enabled |
Target Tags | webserver |
Define Ingress Rules:
Protocol | Port | Source | Target Tags | Action |
---|---|---|---|---|
HTTPS | 443 | 0.0.0.0/0 | webserver | Allow |
SSH | 22 | 0.0.0.0/0 | webserver | Allow |
Result: Security policies are dynamically applied to instances in the Instance Group.
Side Task: Deploy another instance, assign it to the Instance Group, and verify traffic restrictions. Share findings on LinkedIn with hashtags #CloudSecurityWithCyberPreacher #CPwCP.
Note: Remember to delete resources after the lab to avoid unnecessary costs (terminate instances and remove firewall rules).