Overview

In this lab, you create two nginx web servers and control external HTTP access to the web servers using tagged firewall rules. Then you explore IAM roles and service accounts.

Objectives

In this lab, you learn how to perform the following tasks:

• Create an nginx web server
• Create tagged firewall rules
• Create a service account with IAM roles
• Explore permissions for the Network Admin and Security Admin roles

Setup and requirements

For each lab, you get a new Google Cloud project and set of resources for a fixed time at no cost.

1. Sign in to Google Skills using an incognito window.

2. Note the lab's access time (for example, 1:15:00), and make sure you can finish within that time. There is no pause feature. You can restart if needed, but you have to start at the beginning.

3. When ready, click Start lab.

4. Note your lab credentials (Username and Password). You will use them to sign in to the Google Cloud Console.

5. Click Open Google Console.

6. Click Use another account and copy/paste credentials for this lab into the prompts. If you use other credentials, you'll receive errors or incur charges.

7. Accept the terms and skip the recovery resource page.

Task 1. Create the web servers

Create two web servers (blue and green) in the default VPC network. Then install nginx on the web servers and modify the welcome page to distinguish the servers.

Create the blue server

Create the blue server with a network tag.

1. In the Cloud Console, on the Navigation menu (), click Compute Engine > VM instances.

2. Click Create Instance.

3. Specify the following, and leave the remaining settings as their defaults:

   Property	Value (type value or select option as specified)
   Name	blue
   Region
   Zone

4. Click Networking.

5. For Network tags, type web-server.

Note: Network tags are used by networks to identify which VM instances are subject to certain firewall rules and network routes. In the next task, you create a firewall rule to allow HTTP access for VM instances with the web-server tag.

Alternatively, you could select the Allow HTTP traffic checkbox, which would tag this instance as http-server and create the tagged firewall rule for tcp:80 for you.

6. Click Create.

Create the green server

Create the green server without a network tag.

1. Click Create instance.

2. Specify the following, and leave the remaining settings as their defaults:

   Property	Value (type value or select option as specified)
   Name	green
   Region
   Zone

3. Click Create.

Install nginx and customize the welcome page

Install nginx on both VM instances and modify the welcome page to distinguish the servers.

1. For blue, click SSH to launch a terminal and connect.
2. Run the following command to install nginx:

sudo apt-get install nginx-light -y

3. Run the following command to open the welcome page in the nano editor:

sudo nano /var/www/html/index.nginx-debian.html

4. Replace the <h1>Welcome to nginx!</h1> line with <h1>Welcome to the blue server!</h1>.
5. Press CTRL+O, ENTER, CTRL+X.
6. Run the following command to verify the change:

cat /var/www/html/index.nginx-debian.html

The output should contain the following:

... <h1>Welcome to the blue server!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> ...

7. Close the SSH terminal to blue:

exit

Repeat the same steps for the green server:

8. For green, click SSH to launch a terminal and connect.
9. Run the following command to install nginx:

sudo apt-get install nginx-light -y

10. Run the following command, to open the welcome page in the nano editor:

sudo nano /var/www/html/index.nginx-debian.html

11. Replace the <h1>Welcome to nginx!</h1> line with <h1>Welcome to the green server!</h1>.
12. Press CTRL+O, ENTER, CTRL+X.
13. Run the following command to verify the change:

cat /var/www/html/index.nginx-debian.html

The output should contain the following:

... <h1>Welcome to the green server!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> ...

14. Close the SSH terminal to green:

exit

Click Check my progress to verify the objective. Create the web servers

Task 2. Create the firewall rule

Create the tagged firewall rule and test HTTP connectivity.

Create the tagged firewall rule

Create a firewall rule that applies to VM instances with the web-server network tag.

1. In the Cloud Console, on the Navigation menu, click VPC network > Firewall.
2. Notice the default-allow-internal firewall rule.

Note: The default-allow-internal firewall rule allows traffic on all protocols/ports within the default network. You want to create a firewall rule to allow traffic from outside this network to only the blue server, by using the network tag web-server.

3. Click Create Firewall Rule.

4. Specify the following, and leave the remaining settings as their defaults:

   Property	Value (type value or select option as specified)
   Name	allow-http-web-server
   Network	default
   Targets	Specified target tags
   Target tags	web-server
   Source filter	IPv4 Ranges
   Source IPv4 ranges	0.0.0.0/0
   Protocols and ports	Specified protocols and ports

5. For tcp, specify port 80.

Note: Make sure to include the /0 in the Source IPv4 ranges to specify all networks.

6. Click Create.

Create a test-vm

Create a test-vm instance using the gcloud command line.

1. In the Cloud Console, click Activate Cloud Shell ().
2. If prompted, click Continue.
3. Run the following command to create a test-vm instance:

gcloud compute instances create test-vm --machine-type=e2-medium --subnet=default --zone={{{ project_0.default_zone | "filled at lab start" }}}

The output should look similar to what is shown below. (Note that the zone may be different.)

NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS test-vm us-central1-a e2-medium 10.142.0.4 35.237.134.68 RUNNING Note: You can easily create VM instances from the Cloud Console or the gcloud command line.

Click Check my progress to verify the objective. Create the firewall rule and instance

Test HTTP connectivity

From test-vm curl the internal and external IP addresses of blue and green.

1. In the Cloud Console, on the Navigation menu, click Compute Engine > VM instances.
   Note the internal and external IP addresses of blue and green.
2. For test-vm, click SSH to launch a terminal and connect.
3. To test HTTP connectivity to blue's internal IP, run the following command, replacing blue's internal IP:

curl <Enter blue's internal IP here>

You should see the Welcome to the blue server! header.

4. To test HTTP connectivity to green's internal IP, run the following command, replacing green's internal IP:

curl <Enter green's internal IP here>

You should see the Welcome to the green server! header.

Note: You can HTTP access both servers using their internal IP addresses. The connection on tcp:80 is allowed by the default-allow-internal firewall rule, because test-vm is on the same VPC network as the web servers (default network).

5. To test HTTP connectivity to blue's external IP, run the following command, replacing blue's external IP:

curl <Enter blue's external IP here>

You should see the Welcome to the blue server! header.

6. To test HTTP connectivity to green's external IP, run the following command, replacing green's external IP:

curl <Enter green's external IP here> Note: This should not work!

7. Press CTRL+C to stop the HTTP request.

Note: As expected, you can only HTTP access the external IP address of the blue server, because the allow-http-web-server only applies to VM instances with the web-server tag.

8. To verify the same behavior from your browser, open a new tab and navigate to http://[External IP of server].

Task 3. Explore the Network and Security Admin roles

Cloud IAM lets you authorize who can take action on specific resources, which give you full control and visibility to manage cloud resources centrally. The following roles are used in conjunction with single-project networking to independently control administrative access to each VPC network:

• Network Admin: Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates.
• Security Admin: Permissions to create, modify, and delete firewall rules and SSL certificates.

Explore these roles by applying them to a service account, which is a special Google account that belongs to your VM instance instead of to an individual end user. You will authorize test-vm to use the service account to demonstrate the permissions of the Network Admin and Security Admin roles, instead of creating a new user.

Verify current permissions

Currently, test-vm uses the Compute Engine default service account, which is enabled on all instances created by the gcloud command-line tool and the Cloud Console.

Try to list or delete the available firewall rules from test-vm.

1. Return to the SSH terminal of the test-vm instance.
2. Run the following command to try to list the available firewall rules:

gcloud compute firewall-rules list

The output should look like this:

ERROR: (gcloud.compute.firewall-rules.list) Some requests did not succeed: - Insufficient Permission Note: This should not work!

3. Run the following command to try to delete the allow-http-web-server firewall rule:

gcloud compute firewall-rules delete allow-http-web-server

4. Enter Y, if asked to continue.

The output should look like this:

ERROR: (gcloud.compute.firewall-rules.delete) Could not fetch resource: - Insufficient Permission Note: This should not work! Note: The Compute Engine default service account does not have the right permissions to allow you to list or delete firewall rules. The same applies to other users who do not have the right roles.

Create a service account

Create a service account and apply the Network Admin role.

1. In the Cloud Console, on the Navigation menu (), click IAM & admin > Service accounts.
   Notice the Compute Engine default service account.
2. Click Create service account.
3. Set the Service account name to Network-admin.
4. Click Create and Continue.
5. For Select a role, select Compute Engine > Compute Network Admin.
6. Click Continue.
7. Click Done.

Note: Optionally you could create and download a file that contains the private key. However, we can just stop test-vm and authorize it to use the service account.

Authorize test-vm

Authorize test-vm to use the Network-admin service account.

1. On the Navigation menu, click Compute Engine > VM instances.
2. Click on the name of the test-vm instance to open the VM instance details page.
3. Click Stop and confirm to Stop the instance. Wait for the instance to stop before proceeding to the next step.

Note: An instance must be stopped to edit its service account.

4. Once the instance stopped, click Edit.

5. Select Network-admin for Service account.

6. For Access Scopes, select Set access for each API, and in the Compute Engine dropdown, choose the Read/Write option

7. Click Save and wait for the instance to update.

8. Click Start and confirm to Start the instance.

9. Return to the Vm instances page and wait for test-vm to change to a running state.

10. Click SSH for the test-vm instance.

Verify permissions

1. Run the following command to try to list the available firewall rules:

gcloud compute firewall-rules list

The output should look like this:

NAME NETWORK DIRECTION PRIORITY ALLOW DENY allow-http-web-server default INGRESS 1000 tcp:80 default-allow-icmp default INGRESS 65534 icmp default-allow-internal default INGRESS 65534 all default-allow-rdp default INGRESS 65534 tcp:3389 default-allow-ssh default INGRESS 65534 tcp:22

This should work!

2. Run the following command to try to delete the allow-http-web-server firewall rule:

gcloud compute firewall-rules delete allow-http-web-server

3. Enter Y, if asked to continue.

The output should look like this:

ERROR: (gcloud.compute.firewall-rules.delete) Could not fetch resource: - Required 'compute.firewalls.delete' permission for 'projects/[PROJECT_ID]/global/firewalls/allow-http-web-server' Note: This should not work! Note: As expected, the Network Admin role has permissions to list but not modify/delete firewall rules.

Update service account and verify permissions

Update the Network-admin service account by providing it with the Security Admin role.

1. In the Cloud Console, on the Navigation menu (), click IAM & admin > IAM.
2. Find the Network-admin account. Focus on the Name column to identify this account.
3. Click on the pencil icon for the Network-admin account.
4. Change Role to Compute Engine > Compute Security Admin.
5. Click Save.
6. Return to the SSH terminal of the test-vm instance.
7. Run the following command to try to list the available firewall rules:

gcloud compute firewall-rules list

The output should look like this:

NAME NETWORK DIRECTION PRIORITY ALLOW DENY allow-http-web-server default INGRESS 1000 tcp:80 default-allow-icmp default INGRESS 65534 icmp default-allow-internal default INGRESS 65534 all default-allow-rdp default INGRESS 65534 tcp:3389 default-allow-ssh default INGRESS 65534 tcp:22

This should work!

8. Run the following command to try to delete the allow-http-web-server firewall rule:

gcloud compute firewall-rules delete allow-http-web-server

9. Enter Y, if asked to continue.

The output should look like this:

Deleted [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-00e186e4b1cec086/global/firewalls/allow-http-web-server].

This should work!

Note: As expected, the Security Admin role has permissions to list and delete firewall rules.

Verify the deletion of the firewall rule

Verify that you can no longer HTTP access the external IP of the blue server because you deleted the allow-http-web-server firewall rule.

1. Return to the SSH terminal of the test-vm instance.
2. To test HTTP connectivity to blue's external IP, run the following command, replacing blue's external IP:

curl <Enter blue's external IP here> Note: This should not work!

3. Press CTRL+C to stop the HTTP request.

Note: Provide the Security Admin role to the right user or service account to avoid any unwanted changes to your firewall rules!

Click Check my progress to verify the objective. Explore the Network and Security Admin roles

Task 4. Review

In this lab, you created two nginx web servers and controlled external HTTP access using a tagged firewall rule. Then you created a service account with first the Network Admin role and then the Security Admin role to explore the different permissions of these roles.

If your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, grant the security team the Security Admin role and the networking team the Network Admin role.

End your lab

When you have completed your lab, click End Lab. Google Skills removes the resources you’ve used and cleans the account for you.

You will be given an opportunity to rate the lab experience. Select the applicable number of stars, type a comment, and then click Submit.

The number of stars indicates the following:

• 1 star = Very dissatisfied
• 2 stars = Dissatisfied
• 3 stars = Neutral
• 4 stars = Satisfied
• 5 stars = Very satisfied

You can close the dialog box if you don't want to provide feedback.

For feedback, suggestions, or corrections, please use the Support tab.

Copyright 2026 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.