Firewall endpoint overview

Firewall endpoint is a Cloud Next Generation Firewall resource that enables Layer 7 advanced protection capabilities, such as intrusion prevention, in your network.

This page provides a detailed overview of firewall endpoints and their capabilities.

Specifications

  • A firewall endpoint is an organizational resource created at the zonal level.

  • Firewall endpoints perform Layer 7 firewall inspection on the intercepted traffic.

  • Cloud Next Generation Firewall uses Google Cloud's packet intercept technology to transparently redirect traffic from the Google Cloud workloads in a Virtual Private Cloud (VPC) network to the firewall endpoints.

    Packet intercept is a Google Cloud capability that transparently inserts network appliances in the path of selected network traffic without modifying their existing routing policies.

  • Cloud NGFW redirects the workload traffic in a VPC network to the firewall endpoint only if the Layer 7 inspection is configured to be applied to this flow.

  • Cloud NGFW adds a VPC network identifier to each packet redirected to the firewall endpoint for Layer 7 inspection. If you have multiple VPC networks with overlapping IP address ranges, this network identifier helps to ensure that each redirected packet is correctly associated with its VPC network.

  • You can create a firewall endpoint in a zone and attach it to one or more VPC networks to monitor workloads in the same zone. If your VPC network spans multiple zones, you can attach one firewall endpoint in each zone. If you don't attach a firewall endpoint to a VPC network in a specific zone, no Layer 7 inspection is performed on the workload traffic for that zone.

    You use firewall endpoint association to attach a firewall endpoint to a VPC network.

  • The endpoint and the workloads for which you want to enable Layer 7 inspection must be in the same zone. Creating the firewall endpoint in the same zone as workloads has the following benefits:

    • Lower latency. Because firewall endpoints can intercept, inspect, and reinject the traffic back into the network, latency is lower than that of firewall endpoints in different zones.

    • No cross-zonal traffic. Keeping traffic within the same zone ensures lower costs.

    • More reliable traffic. Keeping traffic within the same zone removes the risk of cross-zonal outages.

  • Firewall endpoints can process up to 2 Gbps of traffic with Transport Layer Security (TLS) inspection, and 10 Gbps of traffic without TLS inspection. Sending more traffic can result in packet loss. To monitor the firewall endpoint's capacity utilization, see firewall endpoint metrics.

  • You can delete a firewall endpoint only when there are no VPC networks associated with it.

  • Google manages the infrastructure, load balancing, autoscaling, and lifecycle of the firewall endpoints. When you create a firewall endpoint, Google provides a set of dedicated virtual machine (VM) instances, which ensures reliability, performance, and security isolation for your traffic, along with certificate management.

  • Google provides high availability by using proper failover mechanisms for the firewall endpoints, which ensures reliable firewall protection for all VM instances covered within the attached VPC network.

Firewall endpoint associations

Firewall endpoint association links a firewall endpoint to a VPC network in the same zone. After you define this association, Cloud NGFW forwards the zonal workload traffic in your VPC network that requires Layer 7 inspection to the attached firewall endpoint.

Identity and Access Management roles

Identity and Access Management (IAM) roles govern the following actions for managing the firewall endpoints:

  • Creating a firewall endpoint in an organization
  • Modifying or deleting a firewall endpoint
  • Viewing details of a firewall endpoint
  • Viewing all the firewall endpoints configured in an organization

The following table describes the roles that are necessary for each step.

Ability Necessary role
Create a new firewall endpoint compute.networkAdmin role on the organization where the firewall endpoint is created.
Modify an existing firewall endpoint compute.networkAdmin role on the organization.
View details about the firewall endpoint in an organization Any of the following roles for the organization:
compute.networkAdmin
compute.networkUser
compute.networkViewer
View all the firewall endpoints in an organization Any of the following roles for the organization:
compute.networkAdmin
compute.networkUser
compute.networkViewer

IAM roles govern the following actions for the firewall endpoint associations:

  • Creating a firewall endpoint association in a project
  • Modifying or deleting a firewall endpoint association
  • Viewing details of a firewall endpoint association
  • Viewing all the firewall endpoint associations configured in a project

The following table describes the roles that are necessary for each step.

Ability Necessary role
Create a firewall endpoint association

compute.networkAdmin role on the project where the firewall endpoint association is created.

compute.networkUser role on the organization, which represents permissions to associate the VPC (which the user is an administrator of) to the endpoint (which is an org-owned resource, not necessarily owned by the VPC owner).

Modify (update or delete) the firewall endpoint associations compute.networkAdmin role on the project where the VPC network exists.
View details about the firewall endpoint association in a project Any of the following roles for the organization:
compute.networkAdmin
compute.networkViewer
compute.networkUser
View all of the firewall endpoint associations in a project Any of the following roles for the organization:
compute.networkAdmin
compute.networkViewer
compute.networkUser

Quotas

To view quotas associated with firewall endpoints, see Quotas and limits.

Pricing

Pricing for firewall endpoints is described in the Cloud NGFW pricing.

What's next