In this codelab, you'll build a 3-tier web app with public frontend and private backend using a custom network that you build from scratch. You'll create subnets and firewall rules that allow pings to public instances from everywhere and pings to private instances from public instances as shown below.

What you will build

What you'll learn

What you'll need

Go to

Sign in as the owner of a free-trial GCP account or as a user with project owner access to a billing-enabled project.

To create a custom network, select a project with billing enabled.

Go to Networking > VPC Networks

Click Create VPC Network:

Click the network's link to review it and see what you've got.

By default ingress is blocked and egress is allowed. Add your VMs and test it.

First, the public VM:

Now the private VM.

Test external ping to one of the instances from your laptop. It's blocked.

Try to SSH to one of the instances from Cloud Console. It's also blocked because all ingress traffic is blocked to start.

Add a firewall rule to allow SSH to all VMs so we can log on and test traffic between them.

Go to the Networking page and click your network link.

Click Add firewall rule:

SSH to the private VM (now it works).

Try to ping the public VM. It's still blocked because ingress is still blocked for pings.

Now, add firewall rules to allow ingress to public VMs and lock down private VMs to only allow ingress from public VMs.

Return to the custom network page and add the firewall rule for public VMs:

Return to your laptop's command shell and ping the public VM. It now works.

Return to the private VM command shell and ping the public VM using its internal address. It also works.

Return to the custom network page and add the rule for private VMs

SSH to the public instance and ping the private. It works.

Ping the private instance from your laptop. It's blocked. This is what we want.

Go to the VM Instances page and delete your instances.
Go to the Networking page, click your network link, and click Delete VPC Network.

Congratulations! Now you know how to set up a network from scratch and limit access using firewall rules and instance tags and IP ranges.