Table: gcp_compute_firewall - Query Google Cloud Compute Engine Firewalls using SQL

Google Cloud Compute Engine Firewalls are a networking security feature that allows you to control the traffic to your virtual machine instances. They provide a flexible and robust tool for securing your instances by defining what traffic is allowed to and from your instances. Firewalls are implemented at the network level and apply to all traffic that crosses the perimeter of the network.

Table Usage Guide

The gcp_compute_firewall table can be used to gain insights into firewall rules within Google Cloud Compute Engine. As a network security administrator or a DevOps engineer, you can explore details about each firewall rule, including allowed and denied configurations, network associations, and priority. Utilize it to identify firewall rules that may be overly permissive or misconfigured, enhancing your network security posture.

Examples

Firewall rules basic info

Explore which firewall rules are in place for your Google Cloud Platform (GCP) compute instances. This allows you to understand the direction of traffic flow and assess the overall security configuration.

select
  name,
  id,
  description,
  direction
from
  gcp_compute_firewall;

select
  name,
  id,
  description,
  direction
from
  gcp_compute_firewall;

List of rules which are applied to TCP protocol

Explore which firewall rules are applied specifically to the TCP protocol in your Google Cloud Platform. This will help in assessing network security and identifying potential vulnerabilities.

select
  name,
  id,
  p ->> 'IPProtocol' as ip_protocol,
  p ->> 'ports' as ports
from
  gcp_compute_firewall,
  jsonb_array_elements(allowed) as p
where
  p ->> 'IPProtocol' = 'tcp';

select
  f.name,
  f.id,
  json_extract(p.value, '$.IPProtocol') as ip_protocol,
  json_extract(p.value, '$.ports') as ports
from
  gcp_compute_firewall as f,
  json_each(allowed) as p
where
  json_extract(p.value, '$.IPProtocol') = 'tcp';

List of disabled rules

Determine the areas in which firewall rules are disabled to strengthen your security posture in Google Cloud Platform. This can assist in identifying potential vulnerabilities and maintaining robust network security.

select
  name,
  id,
  description,
  disabled
from
  gcp_compute_firewall
where
  disabled;

select
  name,
  id,
  description,
  disabled
from
  gcp_compute_firewall
where
  disabled = 1;

List of Egress rules

Explore which firewall rules in your Google Cloud Platform are set to allow outbound traffic. This can help understand your network's security posture and identify potential vulnerabilities.

select
  name,
  id,
  direction,
  allowed,
  denied
from
  gcp_compute_firewall
where
  direction = 'EGRESS';

select
  name,
  id,
  direction,
  allowed,
  denied
from
  gcp_compute_firewall
where
  direction = 'EGRESS';

Query examples

Control examples

Schema for gcp_compute_firewall

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form.
action	text		Describes the type action specified by the rule.
akas	jsonb		Array of globally unique identifier strings (also known as) for the resource.
allowed	jsonb		The list of ALLOW rules specified by this firewall.
creation_timestamp	timestamp with time zone		The creation timestamp of the resource.
denied	jsonb		The list of DENY rules specified by this firewall.
description	text		A user-specified, human-readable description of the firewall.
destination_ranges	jsonb		A list of CIDR ranges. The firewall rule applies only to traffic that has destination IP address in these ranges.
direction	text	!=, =	Direction of traffic to which this firewall applies.
disabled	boolean	!=, =	Indicates whether the firewall rule is disabled, or not.
id	bigint		The unique identifier for the resource.
kind	text		Specifies the type of the resource.
location	text		The GCP multi-region, region, or zone in which the resource is located.
log_config_enable	boolean		Specifies whether to enable logging for a particular firewall rule, or not.
log_config_metadata	text		Specifies whether to include or exclude metadata for firewall logs.
name	text	=	A friendly name that identifies the resource.
network	text		The URL of the network resource for this firewall rule.
priority	bigint		Specifies the priority for this rule. Relative priorities determine which rule takes effect if multiple rules apply. Lower values indicate higher priority.
project	text	=, !=, ~~, ~~, !~~, !~~	The GCP Project in which the resource is located.
self_link	text		The server-defined URL for the resource.
source_ranges	jsonb		A list of CIDR ranges. The firewall rule applies only to traffic originating from an instance with a service account in this list.
source_service_accounts	jsonb		A list of service account. The firewall rule applies only to traffic that has a source IP address in these ranges.
source_tags	jsonb		A list of tags. The firewall rule applies only to traffic with source IPs that match the primary network interfaces of VM instances that have the tag and are in the same VPC network.
sp_connection_name	text	=, !=, ~~, ~~, !~~, !~~	Steampipe connection name.
sp_ctx	jsonb		Steampipe context in JSON form.
target_service_accounts	jsonb		A list of service accounts indicating sets of instances located in the network that may make network connections as specified in Allowed
target_tags	jsonb		A list of tags that controls which instances the firewall rule applies to.
title	text		Title of the resource.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- gcp

You can pass the configuration to the command with the --config argument:

steampipe_export_gcp --config '<your_config>' gcp_compute_firewall