Cloud Experts Documentation

Limit Egress with Google Cloud NGFW Standard

Last edited
Published
Authors
Michael McNeill
Tags: GCP Google NGFW OSD

This content is authored by Red Hat experts, but has not yet been tested on every supported configuration.

In this guide, we will implement egress restrictions for OpenShift Dedicated by using Google’s Cloud Next Generation Firewall (NGFW) Standardexternal link (opens in new tab) . Cloud NGFW is a fully distributed firewall service that allows fully qualified domain name (FQDN) objects in firewall policy rules. This is necessary for many of the external endpoints that OpenShift Dedicated relies on.

The ability to restrict egress traffic using a firewall or other network device is only supported with OpenShift Dedicated clusters deployed using Google Private Service Connect (not yet generally available). Clusters that do not use Google Private Service Connect require a support exception to use this functionality. For additional assistance, please open a support case .

Prerequisites

  • Ensure that you have the Google Cloud CLIexternal link (opens in new tab) (gcloud) installed.
  • Ensure that you are logged in to the Google Cloud CLI and that you are in the correct project where you plan to deploy OpenShift Dedicated.
  • Confirm that you have the minimum necessary permissions in Google Cloud, including:
    • Compute Network Admin
    • DNS Administrator
  • Confirm you have the networksecurity.googleapis.com, networkservices.googleapis.com, and servicenetworking.googleapis.com services enabled. To enable them, run the following command:

Environment

Prepare the environment variables:

In this example, we will use us-east1 as the region to deploy into and we will prefix all of our resources with osd-ngfw. We will use the default CIDR ranges for the service and pod networks, and will configure our machine CIDR to be based on our subnet ranges we set below. Modify the parameters to meet your needs.

Create the VPC and Subnets

Before we can deploy a Cloud NGFW, we must first create a VPC and subnets that we will use for OpenShift Dedicated:

  1. Create the VPC by running the following command:
  2. Create the worker, control plane, and Private Service Connect subnets by running the following commands: In this example, we are using subnet ranges of 10.0.0.0/25 for the control plane subnet, 10.0.2.0/23 for the worker subnets, and 10.0.0.128/29 for the PSC subnet. Modify the parameters to meet your needs. Ensure these values are contained within the machine CIDR you set above.

Deploy a global network firewall policy

  1. Create a global network firewall policy by running the following command:

  2. Associate the newly created global network firewall policy to your VPC you created above by running the following command:

Create a Cloud Router and a Cloud NAT gateway

  1. Reserve an IP address for Cloud NAT by running the following command:

  2. Store the IP address you created above in a variable by running the following command:

  3. Create a Cloud Router by running the following command:

  4. Create a Cloud NAT by running the following command:

Create private DNS records for Private Google Access

  1. Create a private DNS zone for the googleapis.com domain by running the following command:

  2. Begin a record set transaction by running the following command:

  3. Stage the DNS records for Google APIs under the googleapis.com domain by running the following command:

    OpenShift Dedicated relies on the Service Usage API (serviceusage.googleapis.com) which is not provided by the Private Google Access restricted VIPexternal link (opens in new tab) . To circumvent this, we expose the Service Usage API using the Private Google Access private VIPexternal link (opens in new tab) . This is the only service exposed by the Private Google Access private VIP in this tutorial.

  4. Apply the staged record set transaction you started above by running the following command:

Create the Firewall Rules

  1. Create a blanket allow rule for private IP (RFC 1918) address space by running the following command:

  2. Create an allow rule for HTTPS (tcp/443) domains required for OpenShift Dedicated by running the following command:

    These domains are sourced from internal documentation. These domains will be published in general documentation when the Private Service Connect feature is released.

  3. Create an allow rule for TCP (tcp/9997) domains required for OpenShift Dedicated by running the following command:

    These domains are sourced from internal documentation. These domains will be published in general documentation when the Private Service Connect feature is released.

  4. Create an allow rule for Private Google Access endpoints by running the following command:

  5. Create a blanket deny rule by running the following command:

    If there is not a matching rule that allows the traffic, it will be blocked by the firewall. To allow access to other resources, such as internal networks or other external endpoints, create additional rules with a priority of less than 1000. For more information on how to create firewall rules, see the documentationexternal link (opens in new tab) .

You are now ready to deploy your cluster following the OpenShift Dedicated documentation .

Interested in contributing to these docs?

Collaboration drives progress. Help improve our documentation The Red Hat Way.

GitHub Edit this page
Red Hat logo LinkedIn YouTube Facebook Twitter

Products

Tools

Try, buy & sell

Communicate

About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now © 2023 Red Hat, Inc.