Wczytuję…
Nie znaleziono wyników.

Wykorzystuj swoje umiejętności w konsoli Google Cloud

Instrukcje i wymagania dotyczące konfiguracji modułu
Chroń swoje konto i postępy. Zawsze używaj okna przeglądania prywatnego i danych logowania do modułu, kiedy go uruchamiasz.

Controlling Access to VPC Networks

Laboratorium 1 godz. 30 godz. universal_currency_alt Punkty: 5 show_chart Wprowadzające
info Ten moduł może zawierać narzędzia AI, które ułatwią Ci naukę.
Te treści nie są jeszcze zoptymalizowane pod kątem urządzeń mobilnych.
Dla maksymalnej wygody odwiedź nas na komputerze, korzystając z linku przesłanego e-mailem.

Overview

In this lab, you create two nginx web servers and control external HTTP access to the web servers using tagged firewall rules. Then you explore IAM roles and service accounts.

Objectives

In this lab, you learn how to perform the following tasks:

  • Create an nginx web server
  • Create tagged firewall rules
  • Create a service account with IAM roles
  • Explore permissions for the Network Admin and Security Admin roles

Setup and requirements

For each lab, you get a new Google Cloud project and set of resources for a fixed time at no cost.

  1. Sign in to Google Skills using an incognito window.

  2. Note the lab's access time (for example, 1:15:00), and make sure you can finish within that time. There is no pause feature. You can restart if needed, but you have to start at the beginning.

  3. When ready, click Start lab.

  4. Note your lab credentials (Username and Password). You will use them to sign in to the Google Cloud Console.

  5. Click Open Google Console.

  6. Click Use another account and copy/paste credentials for this lab into the prompts. If you use other credentials, you'll receive errors or incur charges.

  7. Accept the terms and skip the recovery resource page.

Task 1. Create the web servers

Create two web servers (blue and green) in the default VPC network. Then install nginx on the web servers and modify the welcome page to distinguish the servers.

Create the blue server

Create the blue server with a network tag.

  1. In the Cloud Console, on the Navigation menu (Navigation menu icon), click Compute Engine > VM instances.

  2. Click Create Instance.

  3. Specify the following, and leave the remaining settings as their defaults:

    Property Value (type value or select option as specified)
    Name blue
    Region
    Zone

  4. Click Networking.

  5. For Network tags, type web-server.

Note: Network tags are used by networks to identify which VM instances are subject to certain firewall rules and network routes. In the next task, you create a firewall rule to allow HTTP access for VM instances with the web-server tag.

Alternatively, you could select the Allow HTTP traffic checkbox, which would tag this instance as http-server and create the tagged firewall rule for tcp:80 for you.
  1. Click Create.

Create the green server

Create the green server without a network tag.

  1. Click Create instance.

  2. Specify the following, and leave the remaining settings as their defaults:

    Property Value (type value or select option as specified)
    Name green
    Region
    Zone

  3. Click Create.

Install nginx and customize the welcome page

Install nginx on both VM instances and modify the welcome page to distinguish the servers.

  1. For blue, click SSH to launch a terminal and connect.
  2. Run the following command to install nginx:
sudo apt-get install nginx-light -y
  1. Run the following command to open the welcome page in the nano editor:
sudo nano /var/www/html/index.nginx-debian.html
  1. Replace the <h1>Welcome to nginx!</h1> line with <h1>Welcome to the blue server!</h1>.
  2. Press CTRL+O, ENTER, CTRL+X.
  3. Run the following command to verify the change:
cat /var/www/html/index.nginx-debian.html

The output should contain the following:

... <h1>Welcome to the blue server!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> ...
  1. Close the SSH terminal to blue:
exit

Repeat the same steps for the green server:

  1. For green, click SSH to launch a terminal and connect.
  2. Run the following command to install nginx:
sudo apt-get install nginx-light -y
  1. Run the following command, to open the welcome page in the nano editor:
sudo nano /var/www/html/index.nginx-debian.html
  1. Replace the <h1>Welcome to nginx!</h1> line with <h1>Welcome to the green server!</h1>.
  2. Press CTRL+O, ENTER, CTRL+X.
  3. Run the following command to verify the change:
cat /var/www/html/index.nginx-debian.html

The output should contain the following:

... <h1>Welcome to the green server!</h1> <p>If you see this page, the nginx web server is successfully installed and working. Further configuration is required.</p> ...
  1. Close the SSH terminal to green:
exit

Click Check my progress to verify the objective. Create the web servers

Task 2. Create the firewall rule

Create the tagged firewall rule and test HTTP connectivity.

Create the tagged firewall rule

Create a firewall rule that applies to VM instances with the web-server network tag.

  1. In the Cloud Console, on the Navigation menu, click VPC network > Firewall.
  2. Notice the default-allow-internal firewall rule.
Note: The default-allow-internal firewall rule allows traffic on all protocols/ports within the default network. You want to create a firewall rule to allow traffic from outside this network to only the blue server, by using the network tag web-server.

  1. Click Create Firewall Rule.

  2. Specify the following, and leave the remaining settings as their defaults:

    Property Value (type value or select option as specified)
    Name allow-http-web-server
    Network default
    Targets Specified target tags
    Target tags web-server
    Source filter IPv4 Ranges
    Source IPv4 ranges 0.0.0.0/0
    Protocols and ports Specified protocols and ports

  3. For tcp, specify port 80.

Note: Make sure to include the /0 in the Source IPv4 ranges to specify all networks.
  1. Click Create.

Create a test-vm

Create a test-vm instance using the gcloud command line.

  1. In the Cloud Console, click Activate Cloud Shell (Activate Cloud Shell icon).
  2. If prompted, click Continue.
  3. Run the following command to create a test-vm instance:
gcloud compute instances create test-vm --machine-type=e2-medium --subnet=default --zone={{{ project_0.default_zone | "filled at lab start" }}}

The output should look similar to what is shown below. (Note that the zone may be different.)

NAME ZONE MACHINE_TYPE PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS test-vm us-central1-a e2-medium 10.142.0.4 35.237.134.68 RUNNING Note: You can easily create VM instances from the Cloud Console or the gcloud command line.

Click Check my progress to verify the objective. Create the firewall rule and instance

Test HTTP connectivity

From test-vm curl the internal and external IP addresses of blue and green.

  1. In the Cloud Console, on the Navigation menu, click Compute Engine > VM instances.
    Note the internal and external IP addresses of blue and green.
  2. For test-vm, click SSH to launch a terminal and connect.
  3. To test HTTP connectivity to blue's internal IP, run the following command, replacing blue's internal IP:
curl <Enter blue's internal IP here>

You should see the Welcome to the blue server! header.

  1. To test HTTP connectivity to green's internal IP, run the following command, replacing green's internal IP:
curl <Enter green's internal IP here>

You should see the Welcome to the green server! header.

Note: You can HTTP access both servers using their internal IP addresses. The connection on tcp:80 is allowed by the default-allow-internal firewall rule, because test-vm is on the same VPC network as the web servers (default network).
  1. To test HTTP connectivity to blue's external IP, run the following command, replacing blue's external IP:
curl <Enter blue's external IP here>

You should see the Welcome to the blue server! header.

  1. To test HTTP connectivity to green's external IP, run the following command, replacing green's external IP:
curl <Enter green's external IP here> Note: This should not work!
  1. Press CTRL+C to stop the HTTP request.
Note: As expected, you can only HTTP access the external IP address of the blue server, because the allow-http-web-server only applies to VM instances with the web-server tag.
  1. To verify the same behavior from your browser, open a new tab and navigate to http://[External IP of server].

Task 3. Explore the Network and Security Admin roles

Cloud IAM lets you authorize who can take action on specific resources, which give you full control and visibility to manage cloud resources centrally. The following roles are used in conjunction with single-project networking to independently control administrative access to each VPC network:

  • Network Admin: Permissions to create, modify, and delete networking resources, except for firewall rules and SSL certificates.
  • Security Admin: Permissions to create, modify, and delete firewall rules and SSL certificates.

Explore these roles by applying them to a service account, which is a special Google account that belongs to your VM instance instead of to an individual end user. You will authorize test-vm to use the service account to demonstrate the permissions of the Network Admin and Security Admin roles, instead of creating a new user.

Verify current permissions

Currently, test-vm uses the Compute Engine default service account, which is enabled on all instances created by the gcloud command-line tool and the Cloud Console.

Try to list or delete the available firewall rules from test-vm.

  1. Return to the SSH terminal of the test-vm instance.
  2. Run the following command to try to list the available firewall rules:
gcloud compute firewall-rules list

The output should look like this:

ERROR: (gcloud.compute.firewall-rules.list) Some requests did not succeed: - Insufficient Permission Note: This should not work!
  1. Run the following command to try to delete the allow-http-web-server firewall rule:
gcloud compute firewall-rules delete allow-http-web-server
  1. Enter Y, if asked to continue.

The output should look like this:

ERROR: (gcloud.compute.firewall-rules.delete) Could not fetch resource: - Insufficient Permission Note: This should not work! Note: The Compute Engine default service account does not have the right permissions to allow you to list or delete firewall rules. The same applies to other users who do not have the right roles.

Create a service account

Create a service account and apply the Network Admin role.

  1. In the Cloud Console, on the Navigation menu (Navigation menu icon), click IAM & admin > Service accounts.
    Notice the Compute Engine default service account.
  2. Click Create service account.
  3. Set the Service account name to Network-admin.
  4. Click Create and Continue.
  5. For Select a role, select Compute Engine > Compute Network Admin.
  6. Click Continue.
  7. Click Done.
Note: Optionally you could create and download a file that contains the private key. However, we can just stop test-vm and authorize it to use the service account.

Authorize test-vm

Authorize test-vm to use the Network-admin service account.

  1. On the Navigation menu, click Compute Engine > VM instances.
  2. Click on the name of the test-vm instance to open the VM instance details page.
  3. Click Stop and confirm to Stop the instance. Wait for the instance to stop before proceeding to the next step.
Note: An instance must be stopped to edit its service account.

  1. Once the instance stopped, click Edit.

  2. Select Network-admin for Service account.

  3. For Access Scopes, select Set access for each API, and in the Compute Engine dropdown, choose the Read/Write option

  4. Click Save and wait for the instance to update.

  5. Click Start and confirm to Start the instance.

  6. Return to the Vm instances page and wait for test-vm to change to a running state.

  7. Click SSH for the test-vm instance.

Verify permissions

  1. Run the following command to try to list the available firewall rules:
gcloud compute firewall-rules list

The output should look like this:

NAME NETWORK DIRECTION PRIORITY ALLOW DENY allow-http-web-server default INGRESS 1000 tcp:80 default-allow-icmp default INGRESS 65534 icmp default-allow-internal default INGRESS 65534 all default-allow-rdp default INGRESS 65534 tcp:3389 default-allow-ssh default INGRESS 65534 tcp:22

This should work!

  1. Run the following command to try to delete the allow-http-web-server firewall rule:
gcloud compute firewall-rules delete allow-http-web-server
  1. Enter Y, if asked to continue.

The output should look like this:

ERROR: (gcloud.compute.firewall-rules.delete) Could not fetch resource: - Required 'compute.firewalls.delete' permission for 'projects/[PROJECT_ID]/global/firewalls/allow-http-web-server' Note: This should not work! Note: As expected, the Network Admin role has permissions to list but not modify/delete firewall rules.

Update service account and verify permissions

Update the Network-admin service account by providing it with the Security Admin role.

  1. In the Cloud Console, on the Navigation menu (Navigation menu icon), click IAM & admin > IAM.
  2. Find the Network-admin account. Focus on the Name column to identify this account.
  3. Click on the pencil icon for the Network-admin account.
  4. Change Role to Compute Engine > Compute Security Admin.
  5. Click Save.
  6. Return to the SSH terminal of the test-vm instance.
  7. Run the following command to try to list the available firewall rules:
gcloud compute firewall-rules list

The output should look like this:

NAME NETWORK DIRECTION PRIORITY ALLOW DENY allow-http-web-server default INGRESS 1000 tcp:80 default-allow-icmp default INGRESS 65534 icmp default-allow-internal default INGRESS 65534 all default-allow-rdp default INGRESS 65534 tcp:3389 default-allow-ssh default INGRESS 65534 tcp:22

This should work!

  1. Run the following command to try to delete the allow-http-web-server firewall rule:
gcloud compute firewall-rules delete allow-http-web-server
  1. Enter Y, if asked to continue.

The output should look like this:

Deleted [https://www.googleapis.com/compute/v1/projects/qwiklabs-gcp-00e186e4b1cec086/global/firewalls/allow-http-web-server].

This should work!

Note: As expected, the Security Admin role has permissions to list and delete firewall rules.

Verify the deletion of the firewall rule

Verify that you can no longer HTTP access the external IP of the blue server because you deleted the allow-http-web-server firewall rule.

  1. Return to the SSH terminal of the test-vm instance.
  2. To test HTTP connectivity to blue's external IP, run the following command, replacing blue's external IP:
curl <Enter blue's external IP here> Note: This should not work!
  1. Press CTRL+C to stop the HTTP request.
Note: Provide the Security Admin role to the right user or service account to avoid any unwanted changes to your firewall rules!

Click Check my progress to verify the objective. Explore the Network and Security Admin roles

Task 4. Review

In this lab, you created two nginx web servers and controlled external HTTP access using a tagged firewall rule. Then you created a service account with first the Network Admin role and then the Security Admin role to explore the different permissions of these roles.

If your company has a security team that manages firewalls and SSL certificates and a networking team that manages the rest of the networking resources, grant the security team the Security Admin role and the networking team the Network Admin role.

End your lab

When you have completed your lab, click End Lab. Google Skills removes the resources you’ve used and cleans the account for you.

You will be given an opportunity to rate the lab experience. Select the applicable number of stars, type a comment, and then click Submit.

The number of stars indicates the following:

  • 1 star = Very dissatisfied
  • 2 stars = Dissatisfied
  • 3 stars = Neutral
  • 4 stars = Satisfied
  • 5 stars = Very satisfied

You can close the dialog box if you don't want to provide feedback.

For feedback, suggestions, or corrections, please use the Support tab.

Copyright 2026 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.

Zanim zaczniesz

  1. Moduły tworzą projekt Google Cloud i zasoby na określony czas.
  2. Moduły mają ograniczenie czasowe i nie mają funkcji wstrzymywania. Jeśli zakończysz moduł, musisz go zacząć od początku.
  3. Aby rozpocząć, w lewym górnym rogu ekranu kliknij Rozpocznij moduł.

Użyj przeglądania prywatnego

  1. Skopiuj podaną nazwę użytkownika i hasło do modułu.
  2. Kliknij Otwórz konsolę w trybie prywatnym.

Zaloguj się w konsoli

  1. Zaloguj się z użyciem danych logowania do modułu. Użycie innych danych logowania może spowodować błędy lub naliczanie opłat.
  2. Zaakceptuj warunki i pomiń stronę zasobów przywracania.
  3. Nie klikaj Zakończ moduł, chyba że właśnie został przez Ciebie zakończony lub chcesz go uruchomić ponownie, ponieważ spowoduje to usunięcie wyników i projektu.

Ta treść jest obecnie niedostępna

Kiedy dostępność się zmieni, wyślemy Ci e-maila z powiadomieniem

Świetnie

Kiedy dostępność się zmieni, skontaktujemy się z Tobą e-mailem

Jeden moduł, a potem drugi

Potwierdź, aby zakończyć wszystkie istniejące moduły i rozpocząć ten

Aby uruchomić moduł, użyj przeglądania prywatnego

Najlepszym sposobem na uruchomienie tego laboratorium jest użycie okna incognito lub przeglądania prywatnego. Dzięki temu unikniesz konfliktu między swoim kontem osobistym a kontem do nauki, co mogłoby spowodować naliczanie dodatkowych opłat na koncie osobistym.