GCE Instance/Firewall/Router fix

[almahmoud]

• GCE Instances currently get an automatic public IP. Ideally they'd only get a Private IP
• Block internet access until routing is done properly through router/gateway
• Default CIDR to '0.0.0.0/0' when fw rules are set without a target
• Connectivity test suite

[nuwang]

It seems like it should be ok to make the CIDR 0.0.0.0/0 for outgoing traffic, but perhaps not for incoming? Maybe the solution is to make the CIDR parameter mandatory? Not sure whether there'll be cascading impacts from this though.

[almahmoud]

I think in other providers it's not mandatory, and the current behavior is to default to all (I think as in I have not checked again right now). Idk if we can make cidr mandatory if we're also allowing to specify traffic coming through a specific route (I think it's set by network?), but not sure if that's universal for all of them. I can look more into it and see what good options would be. I guess what would be ideal scenario if you know? Then I can look how we can implement it and keep it consistent across providers.

[nuwang]

@almahmoud Is this also fixed?

[selshowk]

I have my own implementation that uses private IPs for AWS and GCP (I have not yet tried to do so with Azure but I will soon) but a problem I am hitting is that by default internal IPs can't connect to the internet at all so instead one has to set up NATs and add them to the subnets. The docs for GCP and AWS are here:

https://cloud.google.com/nat/docs/gce-example#gcloud_5
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html

Any thoughts on how hard this would be to implement? I'm looking at the GCP provider now and trying to also see if I can figure out the exact commands in the GCP API. Is there an easy way to translate the gcloud command here into an API command? I suspect there.