IMPORTANT:

Make sure to complete this hands-on lab on a desktop/laptop only.

There are only 5 attempts permitted per lab.

As a reminder – it is common to not get every question correct on your first try, and even to need to redo a task; this is part of the learning process.

Once a lab is started, the timer cannot be paused. After 1 hour and 30 minutes, the lab will end and you’ll need to start again.

For more information review the Lab technical tips reading.

Activity overview

Firewall rules play a crucial role in cloud network security because they control which traffic is allowed to enter and leave your cloud environment. The nature of cloud networking is ever changing and complex. Organizations' needs change, new cloud resources are added or removed, and new vulnerabilities are discovered. This means that you'll need to continually adjust and maintain the configuration of firewall rules to adapt with these changes.

Tracking and managing critical updates in your cloud environment can be challenging. Luckily, you can manage the configuration of your cloud resources by leveraging infrastructure as code (IaC). IaC is the provisioning and managing of infrastructure through using reusable scripts. It can be used to automate workflows such as updating firewall rules.

Terraform and Cloud Shell make it easy to manage and update firewall rules efficiently. By writing desired firewall rules in Terraform configuration files and executing Terraform commands in Cloud Shell, you can ensure that your network security policies remain consistent and version-controlled. This approach will help you maintain and track changes over time.

In this lab, you'll learn how to clone a Terraform repository and deploy a VPC network and firewall.

Scenario

Cymbal Bank's new banking application is ready to be deployed. It needs to be hosted on a Virtual Private Cloud (VPC). Your team lead, Chloe, would like to define and provision the application's network infrastructure using Terraform. Terraform can be used to securely provision cloud infrastructure in a way that's repeatable and consistent. This way, you can easily and quickly make any required changes. You have been tasked with using Terraform to create a network and firewall rules.

Here’s how you'll do this task: First, you’ll activate the Cloud Shell. Then, you’ll clone the Terraform repo. Finally, you’ll deploy the VPC network and firewall.

Setup

Before you click Start Lab

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.

This practical lab lets you do the activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.

To complete this lab, you need:

• Access to a standard internet browser (Chrome browser recommended).

Note: Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the Student account, which may cause extra charges incurred to your personal account.

• Time to complete the lab---remember, once you start, you cannot pause a lab.

Note: If you already have your own personal Google Cloud account or project, do not use it for this lab to avoid extra charges to your account.

How to start your lab and sign in to the Google Cloud console

1. Click the Start Lab button. On the left is the Lab Details panel with the following:

   • Time remaining
   • The Open Google Cloud console button
   • The temporary credentials that you must use for this lab
   • Other information, if needed, to step through this lab
   Note: If you need to pay for the lab, a pop-up opens for you to select your payment method.

2. Click Open Google Cloud console (or right-click and select Open Link in Incognito Window) if you are running the Chrome browser. The Sign in page opens in a new browser tab.

   Tip: You can arrange the tabs in separate, side-by-side windows to easily switch between them.

   Note: If the Choose an account dialog displays, click Use Another Account.

3. If necessary, copy the Google Cloud username below and paste it into the Sign in dialog. Click Next.

{{{user_0.username | "Google Cloud username"}}}

You can also find the Google Cloud username in the Lab Details panel.

4. Copy the Google Cloud password below and paste it into the Welcome dialog. Click Next.

{{{user_0.password | "Google Cloud password"}}}

You can also find the Google Cloud password in the Lab Details panel.

Important: You must use the credentials the lab provides you. Do not use your Google Cloud account credentials. Note: Using your own Google Cloud account for this lab may incur extra charges.

5. Click through the subsequent pages:
   • Accept the terms and conditions
   • Do not add recovery options or two-factor authentication (because this is a temporary account)
   • Do not sign up for free trials

After a few moments, the Console opens in this tab.

Note: You can view the menu with a list of Google Cloud Products and Services by clicking the Navigation menu at the top-left.

Task 1. Clone the Terraform repo

In this task, you'll clone the Terraform example repository using the Cloud Shell terminal. The Terraform example contains the configuration file, which you'll use to provision the firewall rules.

1. In the Google Cloud console, click the Activate Cloud Shell
2. Click Continue.

It should only take a few moments to provision and connect to the Cloud Shell environment.

3. Copy the following command into the Cloud Shell terminal:

cloudshell_open --repo_url "https://github.com/terraform-google-modules/docs-examples.git" --print_file "./motd" --dir "firewall_basic" --page "editor" --tutorial "./tutorial.md" --open_in_editor "main.tf" --force_new_clone

This command clones the Terraform example directory.

4. Press ENTER.

This command performs the following actions:

• Clones the terraform-google-modules.
• Prints the motd file name.
• Switches to the firewall_basic directory.
• Checks the cloned files, for example tutorial.md.
• Opens main.tf in Cloud Shell Editor.

Once the cloning is complete, you’ll be at the ~/cloudshell_open/docs-examples/firewall_basic location in the terminal. Your Cloud Shell prompt should display similar output to the following example:

student_01_c2e095df84e2@cloudshell:~/cloudshell_open/docs-examples/firewall_basic (qwiklabs-gcp-04-fde36f013e65)$

5. Copy the following command into the Cloud Shell terminal to list the contents of the directory:

ls

You should notice that several files in the directory have been downloaded: backing_file.tf, main.tf, motd, and tutorial.md.

6. Copy the following command into the Cloud Shell terminal to analyze the configuration of the firewall rule:

cat main.tf

7. Press ENTER.

The main.tf file is the configuration file that defines the resources that Terraform will create. Two resources will be created: a firewall rule google_compute_firewall named test-firewall-${local.name_suffix} with rules to allow ICMP and TCP traffic from ports 80, 8080, and 1000-2000 and a VPC network google_compute_network named test-network-${local.name_suffix}. The variable ${local.name_suffix} is a local variable that automatically generates unique names for resources.

Task 2. Deploy the VPC network and firewall

In this task, you'll deploy a new VPC network and a new firewall rule. This task provides hands-on experience with building a VPC network and subnets.

Note: Run the following commands in sequence in the Cloud Shell terminal.

1. Copy the following command into the Cloud Shell terminal.

export GOOGLE_CLOUD_PROJECT={{{project_0.project_id | Project ID}}}

This command sets the project ID.

2. Press ENTER.

3. Copy the following command into the Cloud Shell terminal:

terraform init

This command initializes the Terraform script.

4. Press ENTER.

The output should return a message stating that the Terraform has been successfully initialized. Take a moment to examine the output. You'll notice that Terraform will create a new firewall and VPC network:

5. Once the initialization is complete, copy the following command into the Cloud Shell terminal:

terraform apply

This command applies the changes and deploys the Terraform script.

6. Press ENTER.

Note: If an Authorize Cloud Shell dialog box appears, click Authorize to grant permission to use your credentials for the gcloud command.

7. The command prompt will prompt you to Enter a value. Type "yes", and press ENTER.

This will start creating the VPC network and firewall rules.

Once it’s completed, the output should return the following message:

Apply complete! Resources: 3 added, 0 changed, 0 destroyed.

This means that the VPC and firewall have been successfully deployed.

Click Check my progress to verify that you have completed this task correctly. Check my progress

Task 3. Verify the deployment of the resources

In this task, you'll verify that the newly created VPC and firewall rules have been successfully deployed.

1. In the Google Cloud console, from the Navigation menu (), select VPC network > VPC networks. The VPC networks page opens.
2. You should notice two VPC networks, default and the newest one you just created, test-network. Click test-network to access the VPC network details.
3. Click Firewalls. Use the expand arrow to expand vpc-firewall-rules. Under Protocols and ports and Action you should notice the firewall rules are the same rules as defined in the configuration file: Allow and tcp:80, 1000-2000, 8080 icmp.

Note: To ensure that resource names are unique, both the test-network and test-firewall names will be dynamically appended with a unique identifier. For example, test-network-curly-penguin. This unique identifier is generated automatically by the ${local.name_suffix} local variable, which is defined in the configuration file. This helps prevent resource naming conflicts and ensures the proper organization of infrastructure components.

Conclusion

Great work!

You've successfully built a VPC network and subnet using Terraform and the Cloud Shell. This lab provides the foundation to developing advanced automated solutions that can be given to system administrators to use with Terraform.

By creating the VPC network and firewall, you have gained a better understanding of how it enables you to automate the process of provisioning and modifying firewall rules. This helps establish consistency across various environments, while also helping reduce the chance of human error.

End your lab

Before you end the lab, make sure you’re satisfied that you’ve completed all the tasks. When you're ready, click End Lab and then click Submit.

Ending the lab will remove your access to the lab environment, and you won’t be able to access the work you've completed in it again.

Copyright 2024 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.