Google Cloud Platform

This guide focuses on configuring GCP VPC Firewall Rules for Actvt remote monitoring on Google Compute Engine instances.

Prerequisites

Google Cloud Platform account with billing enabled
Compute Engine instance running Ubuntu 20.04+ or similar Linux distribution
Basic familiarity with Google Cloud Console or gcloud CLI

For required ports, see Prerequisites.

GCP VPC Firewall Configuration

Method 1: Using Google Cloud Console

Navigate to VPC Firewall
- Go to Google Cloud Console
- Navigate to VPC network → Firewall
- Click "Create Firewall Rule"

Create SSH Firewall Rule

Name: actvt-ssh
Direction: Ingress
Action: Allow
Targets: Specified target tags
Target tags: actvt-monitoring
Source IP ranges: Your IP address/32 (recommended) or 0.0.0.0/0
Protocols and ports: TCP, port 22

Create HTTP Firewall Rule

Name: actvt-http
Direction: Ingress  
Action: Allow
Targets: Specified target tags
Target tags: actvt-monitoring
Source IP ranges: 0.0.0.0/0
Protocols and ports: TCP, port 80

Create WebSocket Firewall Rule

Name: actvt-websocket
Direction: Ingress
Action: Allow
Targets: Specified target tags
Target tags: actvt-monitoring
Source IP ranges: 0.0.0.0/0 (or restrict to your IP range)
Protocols and ports: TCP, port 4096

Apply Tags to Your Instance
- Navigate to Compute Engine → VM instances
- Click on your instance
- Click "Edit"
- In the "Network tags" field, add: actvt-monitoring
- Click "Save"

Method 2: Using gcloud CLI

First, install the gcloud CLI:

# Install gcloud CLI
curl https://sdk.cloud.google.com | bash
exec -l $SHELL

# Initialize and authenticate
gcloud init
gcloud auth login

Create firewall rules:

# Set your project ID
PROJECT_ID="your-project-id"
gcloud config set project $PROJECT_ID

# Create SSH firewall rule (replace YOUR_IP)
gcloud compute firewall-rules create actvt-ssh \
  --description="SSH access for Actvt monitoring servers" \
  --direction=INGRESS \
  --priority=1000 \
  --network=default \
  --action=ALLOW \
  --rules=tcp:22 \
  --source-ranges=YOUR_IP/32 \
  --target-tags=actvt-monitoring

# Create HTTP firewall rule for Let's Encrypt
gcloud compute firewall-rules create actvt-http \
  --description="HTTP access for Let's Encrypt verification" \
  --direction=INGRESS \
  --priority=1000 \
  --network=default \
  --action=ALLOW \
  --rules=tcp:80 \
  --source-ranges=0.0.0.0/0 \
  --target-tags=actvt-monitoring

# Create WebSocket firewall rule
gcloud compute firewall-rules create actvt-websocket \
  --description="WebSocket server for Actvt connections" \
  --direction=INGRESS \
  --priority=1000 \
  --network=default \
  --action=ALLOW \
  --rules=tcp:4096 \
  --source-ranges=0.0.0.0/0 \
  --target-tags=actvt-monitoring

# Apply tags to your instance
gcloud compute instances add-tags YOUR_INSTANCE_NAME \
  --tags=actvt-monitoring \
  --zone=YOUR_ZONE

Verify Configuration

Check that your firewall rules are properly configured:

# List firewall rules
gcloud compute firewall-rules list --filter="name~actvt"

# Describe specific rule
gcloud compute firewall-rules describe actvt-websocket

# Check instance tags
gcloud compute instances describe YOUR_INSTANCE_NAME \
  --zone=YOUR_ZONE \
  --format="value(tags.items[])"

# Test connectivity (from your local machine)
telnet YOUR_INSTANCE_IP 4096
nc -zv YOUR_INSTANCE_IP 4096

Additional Security Considerations

Restrict WebSocket Access

For production environments, consider restricting port 4096:

# Update WebSocket rule to restrict access
gcloud compute firewall-rules update actvt-websocket \
  --source-ranges=YOUR_OFFICE_IP/32

Multiple IP Ranges

To allow access from multiple IP ranges:

# Create WebSocket rule with multiple source ranges
gcloud compute firewall-rules create actvt-websocket \
  --description="WebSocket server for Actvt connections" \
  --direction=INGRESS \
  --priority=1000 \
  --network=default \
  --action=ALLOW \
  --rules=tcp:4096 \
  --source-ranges=203.0.113.0/24,198.51.100.0/24 \
  --target-tags=actvt-monitoring

Service Account Integration

For better security, use service accounts:

# Create service account
gcloud iam service-accounts create actvt-monitoring \
  --description="Service account for Actvt monitoring" \
  --display-name="Actvt Monitoring"

# Attach service account to instance
gcloud compute instances set-service-account YOUR_INSTANCE_NAME \
  --service-account=actvt-monitoring@PROJECT_ID.iam.gserviceaccount.com \
  --scopes=cloud-platform \
  --zone=YOUR_ZONE

Advanced Configuration

Custom VPC Network

If using a custom VPC network:

# Create custom VPC
gcloud compute networks create actvt-vpc --subnet-mode=custom

# Create subnet
gcloud compute networks subnets create actvt-subnet \
  --network=actvt-vpc \
  --range=10.0.0.0/24 \
  --region=us-central1

# Create firewall rules for custom VPC
gcloud compute firewall-rules create actvt-custom-ssh \
  --network=actvt-vpc \
  --action=ALLOW \
  --rules=tcp:22 \
  --source-ranges=YOUR_IP/32 \
  --target-tags=actvt-monitoring

Load Balancer Integration

For high availability with load balancers:

# Create health check
gcloud compute health-checks create tcp actvt-health-check \
  --port=4096 \
  --check-interval=10s \
  --timeout=5s \
  --healthy-threshold=2 \
  --unhealthy-threshold=3

# Create load balancer with health check
gcloud compute backend-services create actvt-backend \
  --protocol=TCP \
  --health-checks=actvt-health-check \
  --global

For troubleshooting connectivity, see the Troubleshooting Guide.

Prerequisites​

GCP VPC Firewall Configuration​

Method 1: Using Google Cloud Console​

Method 2: Using gcloud CLI​

Verify Configuration​

Additional Security Considerations​

Restrict WebSocket Access​

Multiple IP Ranges​

Service Account Integration​

Advanced Configuration​

Custom VPC Network​

Load Balancer Integration​