Skip to content

GCP Firewall rule allows all traffic on RDP port 3389


Firewall rules setup fine grained allow/deny traffic policies to and from a virtual machine (VM). Enabled rules are always enforced, and help protecting instances from unwanted traffic. Firewall rules are defined at the network level, and only apply to the network where they are created.

Every VPC functions as a distributed firewall. While firewall rules are defined at the network level, connections are allowed or denied on a per-instance basis. A default network is pre-populated with firewall rules that allow incoming traffic to instances. The default-allow-rdp rule permits ingress connections on TCP port 3389 from any source to any instance in the network.

We recommend you restrict or remove the default-allow-rdp rule when you no longer need it.

Fix - Runtime


  1. List your firewall rules. You can view a list of all rules or just those in a particular network.
  2. Click the rule "default-allow-rdp" to delete.
  3. Click Delete.
  4. Click Delete again to confirm.

CLI Command

gcloud compute firewall-rules delete default-allow-rdp

Fix - Buildtime


  • Resource: google_compute_firewall
  • Argument: deny. The deny block supports:
    protocol (Required) The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, sctp, ipip), or the IP protocol number.
    ports (Optional) An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"].
resource "google_compute_firewall" "default" {
  name    = "test-firewall"
  network =

  allow {
    protocol = "icmp"

  deny {
    protocol = "tcp"
    ports    = ["3389"]