solutions/client-landing-zone/client-folder/firewall-policy/rules/defaults.yaml

# Copyright 2020 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ######### # Rules 2147483541 to 2147483546 in are the suggested defaults by Google ######### # Delegate to host project, egress traffic(firewall) from VPC resources to private IP ranges in shared VPC network # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) - All connections to or from virtual machine instances are allowed/denied via firewall rules configured in shared VPC network within host project or firewall policies in parent folders based on least-privilege principle. Each firewall rule applies to incoming(ingress) or outgoing(egress) connections, not both. # AU-12 - Enable Logging for firewall # SI-4 - Logging denied traffic apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicyRule metadata: name: client-name-client-folder-fwpol-exclude-private-ip-ranges-egress-fwr # kpt-set: ${client-name}-client-folder-fwpol-exclude-private-ip-ranges-egress-fwr namespace: client-name-networking # kpt-set: ${client-name}-networking annotations: config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeFirewallPolicy/client-name-client-folder-fwpol # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeFirewallPolicy/${client-name}-client-folder-fwpol spec: action: "goto_next" description: "Delegate to host project, egress traffic(firewall) from VPC resources to private IP ranges in shared VPC network" direction: "EGRESS" disabled: false # logging not supported for goto_next rules enableLogging: false # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: name: client-name-client-folder-fwpol # kpt-set: ${client-name}-client-folder-fwpol match: layer4Configs: - ipProtocol: "all" destIPRanges: # kpt-set: ${firewall-internal-ip-ranges} - "10.0.0.0/8" - "172.16.0.0/12" - "192.168.0.0/16" priority: 2147483541 --- # Delegate to the next folder down in the hierarchy apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicyRule metadata: name: client-name-client-folder-fwpol-exclude-private-ip-ranges-ingress-fwr # kpt-set: ${client-name}-client-folder-fwpol-exclude-private-ip-ranges-ingress-fwr namespace: client-name-networking # kpt-set: ${client-name}-networking annotations: config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeFirewallPolicy/client-name-client-folder-fwpol # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeFirewallPolicy/${client-name}-client-folder-fwpol spec: action: "goto_next" description: "Delegate to the next folder down in the hierarchy." direction: "INGRESS" disabled: false # logging not supported for goto_next rules enableLogging: false # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: name: client-name-client-folder-fwpol # kpt-set: ${client-name}-client-folder-fwpol match: layer4Configs: - ipProtocol: "all" srcIPRanges: # kpt-set: ${firewall-internal-ip-ranges} - "10.0.0.0/8" - "172.16.0.0/12" - "192.168.0.0/16" priority: 2147483542 --- # Deny TOR exit nodes ingress traffic # https://cloud.google.com/armor/docs/threat-intelligence#configure-nti apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicyRule metadata: name: client-name-client-folder-fwpol-deny-tor-nodes-ingress-traffic-fwr # kpt-set: ${client-name}-client-folder-fwpol-deny-tor-nodes-ingress-traffic-fwr namespace: client-name-networking # kpt-set: ${client-name}-networking annotations: config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeFirewallPolicy/client-name-client-folder-fwpol # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeFirewallPolicy/${client-name}-client-folder-fwpol spec: action: "deny" description: "Deny TOR exit nodes ingress traffic" direction: "INGRESS" disabled: false # AU-12, SI-4 enableLogging: true # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: name: client-name-client-folder-fwpol # kpt-set: ${client-name}-client-folder-fwpol match: layer4Configs: - ipProtocol: "all" srcIPRanges: - "0.0.0.0/0" srcThreatIntelligences: - "iplist-tor-exit-nodes" priority: 2147483543 --- # Deny sanctioned countries ingress traffic # https://cloud.google.com/firewall/docs/firewall-policies-rule-details#geo-location-object # https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeFirewallPolicyRule metadata: name: client-name-client-folder-fwpol-deny-sanctioned-countries-ingress-fwr # kpt-set: ${client-name}-client-folder-fwpol-deny-sanctioned-countries-ingress-fwr namespace: client-name-networking # kpt-set: ${client-name}-networking annotations: config.kubernetes.io/depends-on: compute.cnrm.cloud.google.com/namespaces/client-name-networking/ComputeFirewallPolicy/client-name-client-folder-fwpol # kpt-set: compute.cnrm.cloud.google.com/namespaces/${client-name}-networking/ComputeFirewallPolicy/${client-name}-client-folder-fwpol spec: action: "deny" description: "Deny sanctioned countries ingress traffic" direction: "INGRESS" disabled: false # AU-12, SI-4 enableLogging: true # AC-3(9), AC-4, AC-4(21), SC-7(5), SC-7(8), SC-7(9), SC-7(11) firewallPolicyRef: name: client-name-client-folder-fwpol # kpt-set: ${client-name}-client-folder-fwpol match: layer4Configs: - ipProtocol: "all" srcIPRanges: - "0.0.0.0/0" srcRegionCodes: # kpt-set: ${denied-sanctioned-countries} - "XX" priority: 2147483546

solutions/client-landing-zone/client-folder/firewall-policy/rules/defaults.yaml (95 lines of code) (raw):