Firewall rules

CDP requires that you pre-create a set of firewall rules allowing your organization SSH and UI access to CDP and allowing internal communication between CDP components. CDP does not offer an option to create these firewall rules for you.

You have two options:

Table 1.
Option VPC type supported for this option What to do during environment registration
  • You create all required firewall rules at the VPC level.
Per project VPC

Shared VPC

In this case, you do not provide them to CDP during environment registration (That is, during environment registration you select "Do not create firewall rule").
  • You create the intravpc firewall rule at the VPC level.
  • Then, you create firewall rules for SSH and UI access via the security access mechanism in the Google Cloud UI.
  • If you need to create additional firewall rules (for example if you are not planning to use CCM and you need to open ports 9443 and 443 for CDP), you should create these at the VPC level.
Per project VPC In this case, you should select the firewall rules created for SSH and UI access during environment registration

Firewall rule requirements

The firewall rules that you add should:

  • Allow the instances in the VPC to connect with each other using TCP and UDP protocols on any port. To achieve this, add a TCP/UDP rule that is set to the subnet IP range. This is required for internal communication within the VPC. As an example, see the intravpcconnection firewall rule, which is set to the subnet IP range (10.0.0.0/16) in the following screenshot:
  • Open ports 22 and 443 to allow access from your organization's CIDR.
  • If not using CCM, also open ports 9443 to allow access from CDP CIDR.
  • If not using CCM, also open ports 443 to allow access from CDP CIDR. This is required for the gateway nodes.