patternMinor
Open Ports on Google Cloud Load Balancer
Viewed 0 times
portsgoogleopencloudloadbalancer
Problem
It seems that by default, Google Cloud load balancers expose a number of ports unecessarily. I haven't found a way to expose only 80/443 and every time I make one of their load balancers, the following ports are seen in an nmap:
Is there a way to block 25, 465, 587, 993 & 995? Note that this question is aboout GCP load balancers, not firewalls.
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
1720/tcp open H.323/Q.931
8080/tcp open http-proxyIs there a way to block 25, 465, 587, 993 & 995? Note that this question is aboout GCP load balancers, not firewalls.
Solution
info from: https://cloud.google.com/load-balancing/docs/https#open_ports
Open ports
The external HTTP(S) load balancers are reverse proxy load balancers. The load balancer terminates incoming connections, and then opens new connections from the load balancer to the backends. The reverse proxy functionality is provided by the Google Front Ends (GFEs).
The firewall rules that you set block traffic from the GFEs to the backends, but do not block incoming traffic to the GFEs.
The external HTTP(S) load balancers have a number of open ports to support other Google services that run on the same architecture. If you run a security or port scan against the external IP address of a Google Cloud external HTTP(S) load balancer, additional ports appear to be open.
This does not affect external HTTP(S) load balancers. External forwarding rules, which are used in the definition of an external HTTP(S) load balancer, can only reference TCP ports 80, 8080, and 443. Traffic with a different TCP destination port is not forwarded to the load balancer's backend.
Open ports
The external HTTP(S) load balancers are reverse proxy load balancers. The load balancer terminates incoming connections, and then opens new connections from the load balancer to the backends. The reverse proxy functionality is provided by the Google Front Ends (GFEs).
The firewall rules that you set block traffic from the GFEs to the backends, but do not block incoming traffic to the GFEs.
The external HTTP(S) load balancers have a number of open ports to support other Google services that run on the same architecture. If you run a security or port scan against the external IP address of a Google Cloud external HTTP(S) load balancer, additional ports appear to be open.
This does not affect external HTTP(S) load balancers. External forwarding rules, which are used in the definition of an external HTTP(S) load balancer, can only reference TCP ports 80, 8080, and 443. Traffic with a different TCP destination port is not forwarded to the load balancer's backend.
Context
StackExchange DevOps Q#833, answer score: 5
Revisions (0)
No revisions yet.