从单个 Google Compute Engine 中删除默认防火墙规则

Remove default firewall rule from single Google Compute Engine

There are 4 "default" firewall rules 已定义。

我只想为特定主机禁用特定的 default-allow-ssh

出于某种原因,我在 gcloud compute instances describe $VM 中看不到标记 default-allow-ssh:

tags:
  fingerprint: ioTF8nBLmIk=
  items:
  - allow-tcp-443
  - allow-tcp-80

我检查了规则定义:

gcloud compute firewall-rules describe default-allow-ssh

allowed:
- IPProtocol: tcp
  ports:
  - '22'
description: Allow SSH from anywhere
direction: INGRESS
disabled: false
kind: compute#firewall
name: default-allow-ssh
network: https://www.googleapis.com/compute/v1/projects/.../global/networks/default
priority: 65534
selfLink: https://www.googleapis.com/compute/v1/projects/.../global/firewalls/default-allow-ssh
sourceRanges:
- 0.0.0.0/0

我在定义中没有看到 targetTagssourceTags。这是否意味着该规则适用于整个项目并且不能针对每个主机禁用?

I see no targetTags or sourceTags in definition. Does that mean that rule is applied to entire project and can't be disabled per host?

是的,您可以找到更多关于默认防火墙规则的信息here

最佳做法是通过使用标签或源 ip 来降低此规则的宽松程度,但是您也可以制定另一条规则来拒绝使用标签的特定 vms 的 ssh 流量,也许只允许来自堡垒主机的 ssh .