Cloud NGFW overview

Cloud Next Generation Firewall is a fully distributed firewall service with advanced protection capabilities, micro-segmentation, and pervasive coverage to protect your Google Cloud workloads from internal and external attacks.

Cloud NGFW has the following benefits:

  • Distributed firewall service: Cloud NGFW provides a stateful, fully distributed host-based enforcement on each workload to enable zero-trust security architecture.

  • Simplified configuration and deployment: Cloud NGFW implements network and hierarchical firewall policies that can be attached to a resource hierarchy node. These policies provide a consistent firewall experience across the Google Cloud resource hierarchy.

  • Granular control and micro-segmentation: The combination of firewall policies and Identity and Access Management (IAM)-governed Tags provides fine control for both north-south and east-west traffic, down to a single VM, across Virtual Private Cloud (VPC) networks and organizations.

Cloud NGFW is available in the following three tiers:

  • Cloud Next Generation Firewall Essentials
  • Cloud Next Generation Firewall Standard
  • Cloud Next Generation Firewall Enterprise

Cloud NGFW also provides additional features that you can add on top of these tiers. For more information about the pricing of the firewall tiers and additional features, see Cloud NGFW pricing.

Cloud NGFW Essentials

Cloud NGFW Essentials is the foundational firewall service offered by Google Cloud. It includes the following features and capabilities:

  • Global network firewall policies and regional network firewall policies enable you to group firewall rules into a policy object applicable to all regions or specific regions.

  • IAM-governed Tags combined with network firewall policies provide micro-segmentation and fine-grain control of your Google Cloud resources. Tags are managed centrally with unique IDs and strict IAM control. You can reference these Tags in network firewall policy rules for tighter and uniform access control across your regions and network.

  • Address groups combine multiple IP addresses and IP ranges into a single named logical unit. You can reference the same address group in multiple firewall rules for ingress and egress control.

  • VPC firewall rules that use network tags and service accounts filter incoming and outgoing traffic at the network level.

Cloud NGFW Standard

Cloud NGFW Standard extends the Cloud NGFW Essentials features to provide enhanced capabilities to protect your cloud infrastructure from malicious attacks:

  • Threat Intelligence for firewall policy rules lets you secure your network by allowing or blocking traffic based on Threat Intelligence data lists.

  • Fully qualified domain name (FQDN) objects in firewall policy rules filter incoming or outgoing traffic from or to specific domains. Based on the traffic direction, the IP addresses associated with the domain names are matched against the source or destination of the traffic.

  • Geolocation objects in firewall policy rules filter external IPv4 and IPv6 traffic based on specific geographic locations or regions.

Cloud Next Generation Firewall Enterprise

Cloud Next Generation Firewall Enterprise provides advanced layer 7 security capabilities that protect your Google Cloud workloads from threats and malicious attacks.

Cloud Next Generation Firewall Enterprise includes intrusion prevention service with Transport Layer Security (TLS) interception and decryption, which provides threat detection and prevention from malware, spyware, and command-and-control attacks on your network.

Additional features

Cloud NGFW provides the following features in addition to the Cloud NGFW Essentials and Cloud NGFW Standard tiers:

  • Hierarchical firewall policy rules create and enforce a consistent firewall policy across your organization. You can assign hierarchical firewall policies to the organization as a whole or to individual folders.

  • Firewall Rules Logging lets you verify whether firewall rules are being used as intended.

What's next