Blog

Identifying orphaned firewall rules on Google Cloud

If you have large enough deployment on Google Cloud using shared VPC, it’s often easy to lose track of firewall rules applicable to your environment. Here is how I’ve solved the orphaned firewall rules problem.

1 ypmxzr3hay0 4kvzxka5eq
The image is courtesy of Information Age

Often it’s easier to manage the entire firewall configuration via a Host project with shared VPC’s.

As of today, there’s no easy way to get the rules that are not applied to any instance in the network, when you reach the limits for the number of firewall rules, you need to find all of these unused/orphaned firewall rules to clean them up.

The gcp-discover-orphaned-firewall-rules tool will help you identify the firewall orphaned rules.

How it works:

This tool will take the host project-id and find all the shared VPC’s projects linked to this host project. It will then find all the firewall rules (ingress type only) for the host project and create a new list for the elimination of active rules.

For each project (including the host project) it will discover the VM instances on it and look for network tags and service accounts that are matching the list of firewall rules target tags if there is a match the rule will be removed from the elimination list and the list will be passed to the next project until the end of iteration of projects, which will leave you with a list of orphaned firewall rules.

The list will be printed to screen in a tabular format as well as CSV file.

This tool does not delete any firewall rule, you should either do it manually or use the CSV file with a script you write for deletion of the rules.

How to install:

download the binary or clone the repo

git clone [email protected]:doitintl/gcp-discover-orphaned-firewall-rules.git
cd gcp-discover-orphaned-firewall-rules
go mod download
go run main.go

Authentication to Google Cloud

This Project is using the Google Application Default Credentials (ADC).

You can either use the following command to login from the terminal using your default setup for gcloud:

gcloud auth application-default login

Or by a service account using the following environment variable:

export GOOGLE_APPLICATION_CREDENTIALS="/path/to/[FILE_NAME].json"

How to run

Available flags:

--debug         Set log level
--host string   Host Project ID <Required>
--running       Filter only running VM instances
./discover-orphaned-rules-darwin-amd64 --host=host-project-123ewquiyt

INFO[2019-06-12T12:57:54+03:00] creating a new Compute API client
INFO[2019-06-12T12:57:54+03:00] host project: host-project-123ewquiyt
INFO[2019-06-12T12:57:56+03:00] firewall Rules for host project: host-project-123ewquiyt
INFO[0001] listing only TargetTags rules...
INFO[0001] number of TargetTags Rules: 3
INFO[2019-06-12T12:57:56+03:00] child project: deleted-project-1268522
WARN[0001] error listing VM instances googleapi: Error 404: Failed to find project deleted-project-1268522, notFound
WARN[2019-06-12T12:57:56+03:00] Could not check project deleted-project-1268522 for orphaned rules: googleapi: Error 404: Failed to find project deleted-project-1268522, notFound
INFO[2019-06-12T12:57:56+03:00] child project: resource-project-12iuyt2854
INFO[0001] making a list of orphaned rules with all rules (active rules will be removed from it)
resource-project-12iuyt2854, ghostresource-project-12iuyt2854, instance-target-demo-ruleresource-project-12iuyt2854, real-ruleINFO[0001] looking for orphaned rules in project..
INFO[0001] remove active rule from orphans list: instance-target-demo-rule
INFO[0001] 2 potential orphaned firewall rules to evalute...
INFO[2019-06-12T12:57:56+03:00] child project: resource-2-23ouyrwe9
INFO[0002] making a list of orphaned rules with all rules (active rules will be removed from it)
resource-2-23ouyrwe9, ghostami-resource-2-23ouyrwe9, instance-target-demo-ruleami-resource-2-23ouyrwe9, real-ruleINFO[0002] looking for orphaned rules in project..
INFO[0002] remove active rule from orphans list: instance-target-demo-rule
INFO[0002] 2 potential orphaned firewall rules to evalute...
INFO[2019-06-12T12:57:57+03:00] generating CSV file for orphaned rules...
INFO[0002] creating a new CSV file: orphaned-rules.csv
INFO[2019-06-12T12:57:57+03:00] done!

This will also generate a CSV file:

rule-name,rule-tags
ghost,dead
real-rule,"real-1,real2,real-3"

Want more stories? Check our blog, or follow Ami on Twitter.

Subscribe to updates, news and more.

Related blogs