About
Northwestern IT maintains a Google Cloud Platform (GCP) Project in our organization that contains a Virtual Private Cloud (VPC) network with attached VPN connections to campus networks.
This VPC has a private address space of [10.29.0.0/24] and is an extension of the Northwestern network by way of the VPN attachments. This VPC can be shared to other GCP Projects to facilitate private connectivity from a GCP Project to the campus network.
In addition to maintaining the VPC itself, the Cloud Operations team has also implemented a set of default VPC firewall rules using network tags.
References
More information on VPC firewall rules: https://cloud.google.com/firewall/docs/firewalls
More information on managing network tags: https://cloud.google.com/vpc/docs/add-remove-network-tags
VPC Firewall Rules
The default firewall rulesets contain a `deny-all` to block all traffic to cloud resources except for those with specific network tags. Each ruleset can be configured for multiple ports and protocols.
Default Rules:
- allow-https:
- Port(s): 443
- Protocol(s): TCP
- Source: 0.0.0.0/0 (All)
- Network Tag: https
- allow-http:
- Port(s): tcp:80
- Source: 0.0.0.0/0 (All)
- Network Tag: http
- allow-rdp:
- Port(s): tcp:3389, udp:3389
- Source: 10.120.0.0/16 (Northwestern Global Protect)
- Network Tag: rdp
- allow-ssh:
- Port(s): tcp:22
- Source: 10.120.0.0/16 (Northwestern Global Protect)
- Network Tag: rdp
Requesting Access and Rules
The Northwestern Shared VPC network is not shared to GCP Projects by default. To request that the VPC be shared to your Project, or if you need a new firewall ruleset, please email your request to servicedesk@northwestern.edu with #cloudops in the email subject line to assign the ticket to the Cloud Operations team.