Cloud Firewall is a fully distributed firewall service with advanced protection capabilities, micro-segmentation, and pervasive coverage to protect your Google Cloud workloads from internal and external attacks.
Cloud Firewall has the following benefits:
Distributed firewall service: Cloud Firewall provides a stateful, fully distributed host-based enforcement on each workload to enable zero-trust security architecture.
Simplified configuration and deployment: Cloud Firewall implements network and hierarchical firewall policies that can be attached to a resource hierarchy node. These policies provide a consistent firewall experience across the Google Cloud resource hierarchy.
Granular control and micro-segmentation: The combination of firewall policies and Identity and Access Management (IAM)-governed Tags provides fine control for both north-south and east-west traffic, down to a single VM, across Virtual Private Cloud (VPC) networks and organizations.
Cloud Firewall is available in the following two tiers:
- Cloud Firewall Essentials
- Cloud Firewall Standard
Cloud Firewall also provides additional features that you can add on top of these tiers. For more information about the pricing of the firewall tiers and additional features, see Cloud Firewall pricing.
Cloud Firewall Essentials
Cloud Firewall Essentials is the foundational firewall service offered by Google Cloud. It includes the following features and capabilities:
Global network firewall policies and regional network firewall policies enable you to group firewall rules into a policy object applicable to all regions or specific regions.
IAM-governed Tags combined with network firewall policies provide micro-segmentation and fine-grain control of your Google Cloud resources. Tags are managed centrally with unique IDs and strict IAM control. You can reference these Tags in network firewall policy rules for tighter and uniform access control across your regions and network.
Address groups combine multiple IP addresses and IP ranges into a single named logical unit. You can reference the same address group in multiple firewall rules for ingress and egress control.
VPC firewall rules that use network tags and service accounts filter incoming and outgoing traffic at the network level.
Cloud Firewall Standard
Cloud Firewall Standard extends the Cloud Firewall Essentials features to provide enhanced capabilities to protect your cloud infrastructure from malicious attacks:
Threat Intelligence for firewall policy rules lets you secure your network by allowing or blocking traffic based on Threat Intelligence data lists.
Fully qualified domain name (FQDN) objects in firewall policy rules filter incoming or outgoing traffic from or to specific domains. Based on the traffic direction, the IP addresses associated with the domain names are matched against the source or destination of the traffic.
Geo-location objects in firewall policy rules filter external IPv4 and IPv6 traffic based on specific geographic locations or regions.
Cloud Firewall provides the following features in addition to the Cloud Firewall Essentials and Cloud Firewall Standard tiers:
Hierarchical firewall policy rules create and enforce a consistent firewall policy across your organization. You can assign hierarchical firewall policies to the organization as a whole or to individual folders.
Firewall Rules Logging lets you verify whether firewall rules are being used as intended.