2

is there a way to geo block China from connecting my GCP VMs?

I see this item in my billing:

Network Internet Egress from Americas to China

Can I block the whole lot?

Is there a way to investigate what kind of IPs are connecting? (I know you can add logging rules to the GCP firewall but I am fuzzy on the details)..

If none of the above possible - is there a public list of rules for Linux firewalls (CentOS 8) to block IPs by countries?

Boppity Bop
  • 792

3 Answers3

2

There are several ways to achieve your use case. With GCP product, you can use Cloud Armor for a location-based traffic filtering through its Web Application Firewall.

Here are several threads that can also help you on your use case:

  1. https://stackoverflow.com/questions/23682114/google-app-engine-block-incoming-traffic-by-country
  2. Relatively easy way to block all traffic from a specific country?
  3. https://stackoverflow.com/questions/29704635/allow-only-specific-countries-to-connect-to-vm
  4. https://stackoverflow.com/questions/26168240/google-cloud-block-incoming-connections
  5. https://stackoverflow.com/questions/35000410/block-offending-ip-from-google-compute-instance
Alex G
  • 320
1

You can use Cloud Armor Network Security ($$$), or opt to download all the IP addresses/rages for China (using a country IP database range provider (many on the internet)) and deny all the source IP ranges using a GCP VPC firewall rule or policy (FREE). Both options are very simple to do.

Harold Callahan
  • 11
1

You can now do this with a firewall rule in the firewall policies that were introduced with the release of GCP Next Generation Firewall (NGFW). No need to manually maintain ip lists.

firewall rule by geolocation

dan carter
  • 220