Why you should migrate to network firewall policies from VPC Firewall rules
Albert Colas Prunera
Networking Specialist, Google Cloud
Hear monthly from our Cloud CISO in your inbox
Get the latest on security from Cloud CISO Phil Venables.Subscribe
In the fall of 2022, we announced new policy constructs for Google Cloud Firewall, a scalable, cloud-first firewall service that helps secure traffic flow to and from workloads in Google Cloud, and whose distributed architecture enables simplified, granular control including micro-segmentation. Whereas legacy VPC firewall rules included network tags that were not governed by our IAM infrastructure, Cloud Firewall’s new network firewall policies with IAM-governed tags conform to our hierarchical control model and can help improve security operations.
We recommend that customers migrate from VPC firewall rules to the newly introduced network firewall policies. To assist with the migration, we developed a migration tool that creates a global network firewall policy and converts existing VPC firewall rules into the new policy.
With Google Cloud’s network firewall policies, we offer rules defined on a per-VPC network basis, either for all regions of the network (global network firewall policies) or a single region (regional network firewall policies). Granular controls enforced at the virtual machine (VM) level using IAM-governed Tags deliver intra-subnet micro-segmentation with pervasive policy coverage that automatically applies to workloads wherever they are deployed, independent of network architecture.
Network firewall policies allow for:
Batch editing of multiple rules within a single policy, which saves time, simplifies rule management, and eliminates race conditions created by single rule update patterns
A single resource to contain all the firewall rule sets applied to a VPC network, making it easy to modify and update the firewall configurations with unified APIs on the single resource
Granular IAM controls based on your needs and requirements, such as separate IAM permissions for firewall policy creation, update, and association
Sharing and attaching of firewall configurations across VPC networks in the same project, which simplifies configuration and management
With these increased capabilities, the combination of the new policy structures and the IAM-governed tags can help simplify operations, while achieving more reliable granular control and the implementation of least-privilege policies.
Going forward, all new enhancements and features for Cloud Firewall will only be supported through firewall policies. Network firewall policies and Tags integration are part of the Cloud Firewall Essentials tier, which is offered to customers at no additional charge. We encourage customers to migrate to network firewall policies to take advantage of future Cloud Firewall product enhancements, such as the Threat Intelligence, FQDN, and geo-location filtering features introduced in the Cloud Firewall Standard tier. For more details, please see our Cloud Firewall Standard announcement blog.
Network firewall policy migration tool overview
The new migration tool helps you convert existing VPC firewall rules into the new policy. This tool does not delete or affect existing VPC firewall rules. Once the new global network firewall policy is created, you can attach the network firewall policy to a VPC. You also have the option to swap the evaluation order of network firewall policies and VPC firewall rules.
Existing VPC firewall rules can be removed after you confirm the newly created network firewall policy works as intended. The best way to verify this is to enable firewall logging on both the existing VPC firewall rules and the new network firewall policy. After the evaluation order has been swapped to evaluate the new global policy first, you can review the firewall logs to confirm that the new network firewall policy rules are evaluated and hit as intended, and the hit count for the equivalent VPC firewall rules are shadowed and no longer getting hits. Support for the hit count and shadowed rule analysis will also be available in the upcoming release of Firewall Insights. More details can be found in the migration tool guide.
You can access the migration tool as a gcloud command. There are two mandatory arguments in this command: (1) the source VPC Network (SOURCE_VPC_NETWORK) and (2) the target network firewall policy (TARGET_NETWORK_FIREWALL_POLICY).
Please note, a network firewall policy with the same name cannot exist before running this command, since the migration tool will create it.
Additionally, logging will remain unchanged for any migration, meaning that if a VPC firewall rule has logging turned on, the migration tool will leave it on and if logging is turned off, the migration tool will keep it off.
For a more detailed guide, including information on how to change the rule evaluation order, and how to migrate from VPC firewall rules that contain network tags and/or service accounts, please refer to the migration guide.
We encourage you to migrate your firewall configuration from VPC firewall rules to the newly introduced network firewall policies to enhance your security posture with a fully distributed, cloud-first stateful inspection firewall service. In addition, migrating to network firewall policies ensures you will have access to the latest firewall features, such as Cloud Firewall Standard. The migration tool is here to help you with this transition. Check out the guide to learn more.