Identity & Security

Google Cloud firewalls adds new policy and insights

Firewalls are an integral part of almost any IT security plan. With our native, fully distributed firewall technology, Google Cloud aims to provide the highest performance and scalability for all your enterprise workloads. 

We also know that the more control and flexibility you have, the more secure you can be. With that in mind, today we’re adding some new firewall features that provide even more flexibility, control, visibility, and optimization. 

Hierarchical firewall policies

Now in beta, Google Cloud’s hierarchical firewall policies provide new, flexible levels of control so that you can benefit from centralized control at the organization and folder level, while safely delegating more granular control within a project to the project owner. 

Virtual Private Cloud (VPC) firewall rules are created at the network level within a given Google Cloud project. Using hierarchical firewall policies, you can create both ingress and egress rules at the organization and folder levels within an organization. This allows security admins to define and deploy consistent firewall rules across a number of projects. Support for Target Service Account in the hierarchical firewall policies also allows security admins to target certain firewall rules to a selected group of instances across the organization without having to define such rules within each individual project. 

The org- and folder-level rules are automatically applied to existing and new VMs in each relevant project. This means that hierarchical firewall policies can’t be overridden by VPC firewall rules, providing assurance that traffic going in and out of all VMs in an organization is guarded by the most critical rules, such as blocking traffic from specific IP ranges, allowing administration connections to specific IP ranges, and ensuring that traffic from security probers can reach all VMs.

To learn more, please read the documentation.

Firewall insights

Firewall insights, also available in beta, is a new tool for firewall visibility and optimization that helps you keep your firewall configuration safe and easy to manage. 

Firewall insights helps you safely optimize your firewall configurations with a number of detection capabilities, including shadowed rule detection to identify firewall rules that have been accidentally shadowed by conflicting rules with higher priorities. In other words, you can automatically detect rules that can’t be reached during firewall rule evaluation due to overlapping rules with higher priorities. You’re also able to detect:

  • Unnecessary allow rules, open ports, and IP ranges and remove them to tighten the security boundary

  • Sudden hit increases on firewall rules and drill down to the source of the traffic to catch an emerging attack

  • Redundant firewall rules and clean them up to reduce the total firewall rule count

  • Denied traffic from suspicious sources trying to access unauthorized IP ranges and ports

With metrics reports, you can track firewall utilization to help analyze the usage of firewall rules in your VPC network. This allows security admins to verify that firewall rules are being used in the intended way, ensure that firewall rules allow or block their intended connections, and perform live debugging of connections that are inadvertently dropped due to firewall rules. All firewall metrics are automatically exported to Stackdriver, and you can easily define custom alerts and build custom dashboards to capture interesting conditions that will help you maintain a robust firewall rule set on an ongoing basis.  

You can find firewall insights in the Network Intelligence Center, and can use its API integration to integrate insights with the tools of your choice. Check out the video to learn more. 

We’re committed to keeping your Google Cloud workloads protected, and will continue to develop features to make your firewalls more flexible, manageable, and secure. To learn more check out the Google Cloud firewalls webpage.