Skip to main content


3.6 Restrict SSH Access From the Internet (Automated)

Profile Applicability

• Level 2


GCP Firewall Rules are specific to a Virtual Private Cloud (VPC) Network. When traffic meets certain conditions, each rule either allows or denies the traffic. Its conditions allow the user to specify the type of traffic, such as ports and protocols, and the source or destination of the traffic, including IP addresses, subnets, and instances.

You define firewall rules at the VPC network level and they are specific to their defined network. It is not possible to share the rules themselves among networks. Firewall rules only support IPv4 traffic.

When specifying a source for an ingress rule or a destination for an egress rule by address, you can only use an IPv4 address or IPv4 block in Classless Inter-Domain Routing (CIDR) notation. You can avoid generic ( incoming traffic from the internet to VPC or VM instance using SSH on Port 22.


GCP Firewall Rules within a VPC Network apply to outgoing (egress) traffic from instances and incoming (ingress) traffic to instances in the network. Egress and ingress traffic flows are controlled even if the traffic stays within the network (for example, instance-to-instance communication). For an instance to have outgoing Internet access, the network must have a valid Internet gateway route or custom route whose destination IP is specified. This route simply defines the path to the Internet, to avoid the most general ( destination IP Range specified from the Internet through SSH with the default Port 22. Generic access from the Internet to a specific IP Range needs to be restricted.


All Secure Shell (SSH) connections from outside of the network to the concerned VPC(s) will be blocked. There could be a business need where SSH access is required from outside of the network to access resources associated with the VPC. In that case, specific source IP(s) should be mentioned in firewall rules to white-list access to SSH port for the concerned VPC(s).


From the Console:

  1. Go to VPC network.
  2. Go to the Firewall Rules.
  3. Ensure that Port is not equal to 22 and Action is not set to Allow.
  4. Ensure IP Ranges is not equal to under Source filters.

From Command Line:

gcloud compute firewall-rules list --format=table'(name,direction,sourceRanges,allowed)'

Ensure that there is no rule matching the below criteria:

  • AND IPProtocol is tcp or ALL
  • AND PORTS is set to 22 or range containing 22 or Null (not set)
  • When ALL TCP ports are allowed in a rule, PORT does not have any value set (NULL)
  • When ALL Protocols are allowed in a rule, PORT does not have any value set (NULL)


From the Console:

  1. Go to VPC Network.
  2. Go to the Firewall Rules.
  3. Click the Firewall Rule you want to modify.
  4. Click Edit.
  5. Modify Source IP ranges to specific IP.
  6. Click Save.

From Command Line:

  1. Update the Firewall rule with the new SOURCE_RANGE from the below command:
gcloud compute firewall-rules update FirewallName --allow=[<protocol>[:<port>[-<port>]]] --source-ranges=[<cidr_range>]


Additional Information

Currently, GCP VPC only supports IPv4; however, Google is already working on adding IPv6 support for VPC. In that case along with source IP range, inspect the rule for IPv6 equivalent ::/0 as well.