Jump to Content
Security & Identity

Introducing Google Cloud Firewall Plus with intrusion prevention

October 2, 2023
Megan Yahya

Product Manager Cloud IDS

Tracy Jiang

Product Manager

Hear monthly from our Cloud CISO in your inbox

Get the latest on security from Cloud CISO Phil Venables.


Google Cloud Firewall is a fully distributed, cloud-first, stateful firewall service that scales automatically to protect your cloud workloads. Google Cloud Firewall offers a unique and simple approach for users to apply a reliable Zero Trust network security control in their cloud environment without any routing changes.

Earlier this year, we introduced the Cloud Firewall Standard tier that added Fully Qualified Domain Name (FQDN) objects, geo-location objects and threat-intelligence capabilities. And at Next 23, we announced the Cloud Firewall Plus tier in preview, which adds an intrusion prevention service (IPS). In combination with transport layer security (TLS) inspection for encrypted traffic visibility, Cloud Firewall Plus provides network protection against malware, spyware, and command-and-control attacks.

Our evolution to Cloud Next Generation Firewall (NGFW) with Cloud Firewall Plus

Cloud Firewall Plus integrates Palo Alto Networks threat prevention technology with Google Cloud’s distributed Firewall fabric to give our users advanced protection with NGFW capabilities. This unique approach allows our users to apply best-in-class security protections with simplicity and scale to their dynamic cloud environment. Cloud Firewall Plus embeds Palo Alto Networks powered threat prevention technologies and inspects north-south, east-west, TLS and non-TLS traffic providing transparent inline protection for your Google Cloud workloads.

Cloud Firewall Plus offers IPS capabilities as a fully integrated Layer 7 module supported by hierarchical firewall policies and tag-based firewall rules. This approach makes it possible for Google Cloud users to deploy threat prevention services without network or topology changes and can help reduce overall infrastructure management and operational costs.

Cloud Firewall’s unique hierarchical firewall policy allows you to enforce granular firewall rules at the organization and folder levels in the Google Cloud resource hierarchy. The hierarchical policies can help you build layered controls that can be easily delegated and independently audited for drift.

IAM-governed tags are tags controlled by IAM permissions. These tags allow users to define their network firewall policies in terms of logical groupings and delegate the management of those groups within their organization with fine-grained authorization controls. When security events occur, the use of IAM-governed tags could hasten the response to the incident. For example, you could apply a tag to an infected system to trigger a remediation response such as isolating the infected system from the rest of the network to prevent lateral movement.

Simplicity, scale, and performance with Cloud Firewall Plus

Cloud Firewall’s intrusion prevention service works by redirecting traffic for inspection by Google Cloud-managed zonal firewall endpoints through packet interception technology. Through this mechanism, threat prevention capabilities can be inserted between any two connected network interfaces in Google Cloud, between two peered virtual private clouds (VPCs) networks, within the same VPC or within the same subnet, without any routing or network topology changes.

You can enable the intrusion prevention service in Cloud Firewall Plus with the following steps:

  1. Create Firewall Endpoints in zones where you need the service and associate the VPC networks with these endpoints. These endpoints can be shared between different VPCs in your organization.
  2. Build security profiles and define threat response actions.
  3. Configure Cloud Firewall Policy rules with a defined action for L7 inspection using the security profile you created.

Cloud Firewall Plus is a cloud-first service with Google overseeing the infrastructure, load balancing, autoscaling, software version updates, and threat signature updates for the firewall endpoints. The fully distributed firewall data plane automatically scales with the dynamic workload to avoid creating choke points, and the zonal firewall endpoints provide firewall inspection close to the workload minimizing latency.


Cloud Firewall Plus architecture overview

Cloud Firewall Plus will be billed based on the amount of data processed for threat prevention, in gigabytes, and the number of hours an endpoint has been running. In addition to Cloud Firewall Plus, our Cloud Firewall offers two additional tiers: Essentials, the foundational set of capabilities, and Standard which expands rules capabilities. If Cloud Firewall Plus and Cloud Firewall Standard are activated for the same traffic, that traffic will be billed only once for Plus and not Standard.

Watch this video to learn more about the different tiers of Cloud Firewall that you can choose based on your needs. Cloud Firewall Essentials and Standard tiers are now generally available, and Cloud Firewall Plus is available in preview.


Next steps

Cloud Firewall can help you achieve a Zero Trust network security posture through a fully-distributed, cloud-first, stateful firewall service with advanced protection capabilities. You can migrate your VPC firewall rules to Firewall Policies today to take advantage of the advanced threat protection features to protect your workload in the cloud. For more detailed information and hands-on guidance, please check out our demo video and see our Cloud Firewall documentation.

Posted in