Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 3. Tutorial: Limit egress with Google Cloud Next Generation Firewall

Use this guide to implement egress restrictions for OpenShift Dedicated on Google Cloud by using Google Cloud’s Next Generation Firewall (NGFW). NGFW is a fully distributed firewall service that allows fully qualified domain name (FQDN) objects in firewall policy rules. This is necessary for many of the external endpoints that OpenShift Dedicated relies on.

Important

The ability to restrict egress traffic using a firewall or other network device is only supported with OpenShift Dedicated clusters deployed using Private Service Connect (PSC). Clusters that do not use PSC require a support exception to use this functionality. For additional assistance, please open a support case.

3.1. Reviewing your prerequisites
Copy link

  • You have the Google Cloud Command Line Interface (gcloud) installed.
  • You are logged into the Google Cloud CLI and have selected the Google Cloud project where you plan to deploy OpenShift Dedicated.

  • You have the minimum necessary permissions in Google Cloud, including:

    • Compute Network Admin
    • DNS Administrator

  • You have enabled certain services by running the following commands in your terminal: 

    $ gcloud services enable networksecurity.googleapis.com
    Copy to Clipboard Toggle word wrap 
    $ gcloud services enable networkservices.googleapis.com
    Copy to Clipboard Toggle word wrap 
    $ gcloud services enable servicenetworking.googleapis.com
    Copy to Clipboard Toggle word wrap

3.2. Setting up your environment
Copy link

In your terminal, configure the following environment variables: 

export project_id=$(gcloud config list --format="value(core.project)")
export region=us-east1
export prefix=osd-ngfw
export service_cidr="172.30.0.0/16"
export machine_cidr="10.0.0.0/22"
export pod_cidr="10.128.0.0/14"
Copy to Clipboard Toggle word wrap

This example uses us-east1 as the region to deploy into and the prefix osd-ngfw for the cluster’s resources. The default CIDR ranges are assigned for the service and pod networks. The machine CIDR is based on the subnet ranges that will be set later in this tutorial. Modify the parameters to meet your needs.

3.3. Creating the VPC and subnets
Copy link

Before you can deploy a Google Cloud NGFW, you must first create the Virtual Private Cloud (VPC) and subnets that you will use for OpenShift Dedicated:

  1. Create the VPC by running the following command: 

    $ gcloud compute networks create ${prefix}-vpc --subnet-mode=custom
    Copy to Clipboard Toggle word wrap

  2. Create the worker subnets by running the following command: 

    $ gcloud compute networks subnets create ${prefix}-worker \
    --range=10.0.2.0/23 \
    --network=${prefix}-vpc \
    --region=${region} \
    --enable-private-ip-google-access
    Copy to Clipboard Toggle word wrap

  3. Create the control plane subnets by running the following command: 

    $ gcloud compute networks subnets create ${prefix}-control-plane \
    --range=10.0.0.0/25 \
    --network=${prefix}-vpc \
    --region=${region} \
    --enable-private-ip-google-access
    Copy to Clipboard Toggle word wrap

  4. Create the PSC subnets by running the following command: 

    $ gcloud compute networks subnets create ${prefix}-psc \
    --network=${prefix}-vpc \
    --region=${region} \
    --stack-type=IPV4_ONLY \
    --range=10.0.0.128/29 \
    --purpose=PRIVATE_SERVICE_CONNECT
    Copy to Clipboard Toggle word wrap

    These examples use the subnet ranges of 10.0.2.0/23 for the worker subnet, 10.0.0.0/25 for the control plane subnet, and 10.0.0.128/29 for the PSC subnet. Modify the parameters to meet your needs. Ensure the parameter values are contained within the machine CIDR you set earlier in this tutorial.

3.4. Deploying a global network firewall policy
Copy link

  1. Create a global network firewall policy by running the following command: 

    $ gcloud compute network-firewall-policies create \
    ${prefix} \
    --description "OpenShift Dedicated Egress Firewall" \
    --global
    Copy to Clipboard Toggle word wrap

  2. Associate the newly created global network firewall policy to the VPC you created above by running the following command: 

    $ gcloud compute network-firewall-policies associations create \
    --firewall-policy ${prefix} \
    --network ${prefix}-vpc \
    --global-firewall-policy
    Copy to Clipboard Toggle word wrap

The Network Address Translation (NAT) gateway enables internet connectivity for your private VMs by masquerading all their traffic under a single public IP address. As the designated exit point, it translates their internal IPs for any outbound requests, such as fetching updates. This process effectively grants them access to the internet without ever exposing their private addresses.

  1. Reserve an IP address for Cloud NAT by running the following command: 

    $ gcloud compute addresses create ${prefix}-${region}-cloudnatip \
    --region=${region}
    Copy to Clipboard Toggle word wrap

  2. Create a Cloud Router by running the following command: 

    $ gcloud compute routers create ${prefix}-router \
    --region=${region} \
    --network=${prefix}-vpc
    Copy to Clipboard Toggle word wrap

  3. Create a Cloud NAT by running the following command: 

    $ gcloud compute routers nats create ${prefix}-cloudnat-${region} \
    --router=${prefix}-router --router-region ${region} \
    --nat-all-subnet-ip-ranges \
    --nat-external-ip-pool=${prefix}-${region}-cloudnatip
    Copy to Clipboard Toggle word wrap

The private Domain Name System (DNS) zone optimizes how your resources connect to Google APIs by ensuring traffic never travels over the public internet. It functions by intercepting DNS requests for Google services and resolving them to private IP addresses, forcing the connection onto Google’s internal network for a faster, more secure data exchange.

  1. Create a private DNS zone for the googleapis.com domain by running the following command: 

    $ gcloud dns managed-zones create ${prefix}-googleapis \
    --visibility=private \
    --networks=https://www.googleapis.com/compute/v1/projects/${project_id}/global/networks/${prefix}-vpc \
    --description="Private Google Access" \
    --dns-name=googleapis.com
    Copy to Clipboard Toggle word wrap

  2. Begin a record set transaction by running the following command: 

    $ gcloud dns record-sets transaction start \
    --zone=${prefix}-googleapis
    Copy to Clipboard Toggle word wrap

  3. Stage the DNS records for Google APIs under the googleapis.com domain by running the following commands: 

    $ gcloud dns record-sets transaction add --name="*.googleapis.com." \
    --type=CNAME restricted.googleapis.com. \
    --zone=${prefix}-googleapis \
    --ttl=300
    Copy to Clipboard Toggle word wrap 
    $ gcloud dns record-sets transaction add 199.36.153.4 199.36.153.5 199.36.153.6 199.36.153.7 \
    --name=restricted.googleapis.com. \
    --type=A \
    --zone=${prefix}-googleapis \
    --ttl=300
    Copy to Clipboard Toggle word wrap

  4. Apply the staged record set transaction you started above by running the following command: 

    $ gcloud dns record-sets transaction execute \
    --zone=$prefix-googleapis
    Copy to Clipboard Toggle word wrap

3.7. Creating the firewall rules
Copy link

  1. Create a blanket allow rule for private IP (RFC 1918) address space by running the following command: 

    $ gcloud compute network-firewall-policies rules create 500 \
    --description "Allow egress to private IP ranges" \
    --action=allow \
    --firewall-policy=${prefix} \
    --global-firewall-policy \
    --direction=EGRESS \
    --layer4-configs all \
    --dest-ip-ranges=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
    Copy to Clipboard Toggle word wrap

  2. Create an allow rule for HTTPS (tcp/443) domains required for OpenShift Dedicated by running the following command: 

    $ gcloud compute network-firewall-policies rules create 600 \
    --description "Allow egress to OpenShift Dedicated required domains (tcp/443)" \
    --action=allow \
    --firewall-policy=${prefix} \
    --global-firewall-policy \
    --direction=EGRESS \
    --layer4-configs tcp:443 \
    --dest-fqdns accounts.google.com,pull.q1w2.quay.rhcloud.com,http-inputs-osdsecuritylogs.splunkcloud.com,nosnch.in,api.deadmanssnitch.com,events.pagerduty.com,api.pagerduty.com,api.openshift.com,mirror.openshift.com,observatorium.api.openshift.com,observatorium-mst.api.openshift.com,console.redhat.com,infogw.api.openshift.com,api.access.redhat.com,cert-api.access.redhat.com,catalog.redhat.com,sso.redhat.com,registry.connect.redhat.com,registry.access.redhat.com,cdn01.quay.io,cdn02.quay.io,cdn03.quay.io,cdn04.quay.io,cdn05.quay.io,cdn06.quay.io,cdn.quay.io,quay.io,registry.redhat.io,quayio-production-s3.s3.amazonaws.com
    Copy to Clipboard Toggle word wrap
    Important

    If there is not a matching rule that allows the traffic, it will be blocked by the firewall. To allow access to other resources, such as internal networks or other external endpoints, create additional rules with a priority of less than 1000. For more information on how to create firewall rules, see Use global network firewall policies and rules.

3.8. Creating your cluster
Copy link

You are now ready to create your OpenShift Dedicated on Google Cloud cluster. For more information, see Creating a cluster on Google Cloud with Workload Identity Federation authentication.

3.9. Deleting your cluster
Copy link

To delete your cluster, see Deleting an OpenShift Dedicated cluster on Google Cloud.

3.10. Cleaning up resources
Copy link

To prevent ongoing charges, after you delete your cluster you must manually delete the Google Cloud networking infrastructure you created as part of this tutorial. Deleting the cluster will not automatically remove these underlying resources. You can clean up these resources using a combination of gcloud CLI commands and actions within the Google Cloud console.

Before you begin the process of cleaning up the the resources you created for this tutorial, run the following commands and complete any prompts.

  1. To authenticate your identity run the following command: 

    $ gcloud init
    Copy to Clipboard Toggle word wrap

  2. To log in to your Google Cloud account, run the following command: 

    $ gcloud auth application-default login
    Copy to Clipboard Toggle word wrap

  3. To log in to the OpenShift Cluster manager CLI tool, run the following command: 

    $ ocm login --use-auth-code
    Copy to Clipboard Toggle word wrap

You are now ready to clean up the resources you created as part of this tutorial. To respect resource dependencies, delete them in the reverse order of their creation.

  1. Delete the firewall policy’s association with the VPC by running the following command: 

    $ gcloud compute network-firewall-policies associations delete \
    --firewall-policy=${prefix} \
    --network=${prefix}-vpc \
    --global-firewall-policy
    Copy to Clipboard Toggle word wrap

  2. Delete the global network firewall policy by running the following command: 

    $ gcloud compute network-firewall-policies delete ${prefix} --global
    Copy to Clipboard Toggle word wrap

  3. A managed DNS zone in Google Cloud cannot be deleted until all user-defined record sets are removed. Define variables to target the specific Google Cloud project and the managed DNS zone being cleaned up by running the following command: 

    $ cat /tmp/delete_records.sh
PROJECT_ID=<your-project-id>
ZONE_NAME=<your-managed-zone-name>
    Copy to Clipboard Toggle word wrap

  4. List the record sets that are included within the Private DNS zone by running the following command: 

    $ gcloud \
    dns record-sets list \
    --project=$PROJECT_ID \
    --zone=$ZONE_NAME \
    --filter="type!=NS AND type!=SOA" \
    --format="value(name,type)" | while read name type;
    Copy to Clipboard Toggle word wrap

  5. Delete the record sets that are included within that Private DNS Zone by running the following command: 

    $ gcloud --project=$PROJECT_ID dns record-sets delete "$name" --zone=$ZONE_NAME --type="$type"
    Copy to Clipboard Toggle word wrap

  6. Delete the Private DNS Zone by running the following command: 

    $ gcloud dns managed-zones delete ${prefix}-googleapis
    Copy to Clipboard Toggle word wrap

  7. Delete the Cloud NAT gateway: 

    $ gcloud compute routers nats delete ${prefix}-cloudnat-${region} \
    --router=${prefix}-router \
    --router-region=${region}
    Copy to Clipboard Toggle word wrap

  8. Delete the Cloud Router by running the following command: 

    $ gcloud compute routers delete ${prefix}-router --region=${region}
    Copy to Clipboard Toggle word wrap

  9. Delete the reserved IP address by running the following command: 

    $ gcloud compute addresses delete ${prefix}-${region}-cloudnatip --region=${region}
    Copy to Clipboard Toggle word wrap

  10. Delete the worker subnet by running the following command: 

    $ gcloud compute networks subnets delete ${prefix}-worker --region=${region}
    Copy to Clipboard Toggle word wrap

  11. Delete the control plane subnet by running the following command: 

    $ gcloud compute networks subnets delete ${prefix}-control-plane --region=${region}
    Copy to Clipboard Toggle word wrap

  12. Delete the PSC subnet by running the following command: 

    $ gcloud compute networks subnets delete ${prefix}-psc --region=${region}
    Copy to Clipboard Toggle word wrap

  13. Delete the VPC by running the following command: 

    $ gcloud compute networks delete ${prefix}-vpc
    Copy to Clipboard Toggle word wrap
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat