How to add a firewall rule per country in google cloud?
I need to allow my trafic just from my country. How can I do it? I know that I can create a rule specifying the IP range, but there are more than 1600 IP ranges to add. Is there any "easy" way?
Solution 1:
Google Cloud VPC Firewall rules do not support geolocation.
To enable geolocation-based blocking you have several options:
- Implement a third-party software solution.
- Deploy a Google Cloud HTTP(S) Load Balancer and Cloud Armor.
Interesting article on third-party add-ons:
How to Block IPs from Countries using Iptables Geoip Addons
Google Cloud Armor supports ISO 3166-1 country codes for geolocation-based rules (deny/allow).
Cloud Armor: Allow or deny traffic from a specific region
Your question mentions more than 1600 IP ranges
. Internet routing changes by the second and IP addresses can be remapped from one side of the world to another effortlessly today via BGP. As soon as you created a rule set, it would be incorrect quickly.
I do not recommended geolocation based blocking. VPNs hide the true source of traffic. During Internet outages, traffic can be rerouted. If your goal is to block traffic from bad actors, subscribe to an IP based rules list and block specific IP addresses for 24 hours and then refresh the rules list. If someone wants to access a geoblocked site, its takes about five minutes to georelocate traffic and defeat your blocking.