Firewall endpoint is a Cloud Next Generation Firewall resource that enables Layer 7 advanced protection capabilities, such as intrusion prevention, in your network.
This page provides a detailed overview of firewall endpoints and their capabilities.
Specifications
A firewall endpoint is an organizational resource created at the zonal level.
Firewall endpoints perform Layer 7 firewall inspection on the intercepted traffic.
Cloud Next Generation Firewall uses Google Cloud's packet intercept technology to transparently redirect traffic from the Google Cloud workloads in a Virtual Private Cloud (VPC) network to the firewall endpoints.
Packet intercept is a Google Cloud capability that transparently inserts proxy mode network appliances in the path of selected network traffic without modifying their existing routing policies.
Cloud NGFW redirects the workload traffic in a VPC network to the firewall endpoint only if the Layer 7 inspection is configured in the firewall policy rules.
Cloud NGFW adds a VPC network identifier to each packet redirected to the firewall endpoint for Layer 7 inspection. If you have multiple VPC networks with overlapping IP address ranges, this network identifier helps to ensure that each redirected packet is correctly associated with its VPC network.
You can create a firewall endpoint in a zone and attach it to one or more VPC networks to monitor workloads in the same zone. If your VPC network spans multiple zones, you can attach one firewall endpoint with the VPC in each zone.
You use firewall endpoint association to attach a firewall endpoint to a VPC network.
The endpoint and the workloads for which you want to enable Layer 7 inspection must be in the same zone. Creating the firewall endpoint in the same zone as workloads has the following benefits:
Lower latency. Because firewall endpoints can intercept, inspect, and reinject the traffic back into the network, latency is lower than that of firewall endpoints in different zones.
No cross-zonal traffic. Keeping traffic within the same zone ensures lower costs.
More reliable traffic. Keeping traffic within the same zone removes the risk of cross-zonal outages.
You can delete a firewall endpoint only when there are no VPC networks associated with it.
Google manages the infrastructure, load balancing, autoscaling, and lifecycle of the firewall endpoints. When you create a firewall endpoint, Google provides a set of dedicated virtual machine (VM) instances, which ensures reliability, performance, and security isolation for your traffic, along with certificate management.
Google provides high availability by using proper failover mechanisms for the firewall endpoints, which ensures reliable firewall protection for all VM instances covered within the attached VPC network.
Firewall endpoint associations
Firewall endpoint association links a firewall endpoint to a VPC network in the same zone. After you define this association, Cloud NGFW forwards the zonal workload traffic in your VPC network that requires Layer 7 inspection to the attached firewall endpoint.
Identity and Access Management roles
Identity and Access Management (IAM) roles govern the following actions for managing the firewall endpoints:
- Creating a firewall endpoint in an organization
- Modifying or deleting a firewall endpoint
- Viewing details of a firewall endpoint
- Viewing all the firewall endpoints configured in an organization
The following table describes the roles that are necessary for each step.
| Ability | Necessary role |
|---|---|
| Create a new firewall endpoint | compute.networkAdmin role on the organization where the firewall endpoint is created. |
| Modify an existing firewall endpoint | compute.networkAdmin role on the organization. |
| View details about the firewall endpoint in an organization | Any of the following roles for the organization: compute.networkAdmin compute.networkUser compute.networkViewer |
| View all the firewall endpoints in an organization | Any of the following roles for the organization: compute.networkAdmin compute.networkUser compute.networkViewer |
IAM roles govern the following actions for the firewall endpoint associations:
- Creating a firewall endpoint association in a project
- Modifying or deleting a firewall endpoint association
- Viewing details of a firewall endpoint association
- Viewing all the firewall endpoint associations configured in a project
The following table describes the roles that are necessary for each step.
| Ability | Necessary role |
|---|---|
| Create a firewall endpoint association |
compute.networkAdmin role on the project where the firewall endpoint association is created. compute.networkUser role on the organization, which represents permissions to associate the VPC (which the user is an administrator of) to the endpoint (which is an org-owned resource, not necessarily owned by the VPC owner). |
| Modify (update or delete) the firewall endpoint associations | compute.networkAdmin role on the project where the VPC network exists. |
| View details about the firewall endpoint association in a project | Any of the following roles for the organization: compute.networkAdmin compute.networkViewer compute.networkUser |
| View all of the firewall endpoint associations in a project | Any of the following roles for the organization: compute.networkAdmin compute.networkViewer compute.networkUser |
Quotas
To view quotas associated with firewall endpoints, see Quotas and limits.
Pricing
Pricing for firewall endpoints is described in the Cloud Next Generation Firewall Enterprise pricing.
What's next
- Configure intrusion prevention service
- Create and manage firewall endpoints
- Create and manage firewall endpoint associations