Use address groups to combine multiple IP addresses and IP ranges into a single named logical unit. You can then use this unit across multiple rules in the same or different firewall policies.
Address groups eliminate the need to manually maintain and sync IP address sets used across multiple firewall rules. You can create a common address group with all the required IP addresses or IP ranges. You can then reuse this address group in multiple firewall rules for source and destination filtering. If there is any change in the IP address set, you can update the address group without the need to update every associated rule.
Address groups simplify the configuration and maintenance of firewall policies. You can share the IP addresses across firewall policies and define more complex, consistent, and robust firewall policies for your network with reduced maintenance overhead.
Specifications
Address group resources have the following characteristics:
- Each address group is uniquely identified by a URL with
the following elements:
- Container type: Determines the address group type—
organization
orproject
. - Container ID: ID of the organization or the project.
- Location: Specifies if the address group is a
global
or regional resource (such aseurope-west
). - Name: The address group name with the following format:
- A string 1-63 characters long
- Includes only alphanumeric characters
- Must not start with a number
- Container type: Determines the address group type—
You can construct a unique URL identifier for an address group in the following format:
<containerType>/<containerId>/locations/<location>/addressGroups/<address-group-name>
For example, a
global
address groupexample-address-group
in projectmyproject
has the following unique 4-tuple identifier:projects/myproject/locations/global/addressGroups/example-address-group
Each address group has an associated type that can be either IPv4 or IPv6, but not both. The address group type cannot be changed later.
Each IP address or IP range in an address group is referred to as an item. The number of items that you can add to an address group depends on the address group's capacity. You can define the item capacity during address group creation. This capacity cannot be changed later. The maximum capacity that you can configure for an address group is 1,000 items.
The capacity of an address group gets added to the total attribute count of the firewall policy where the address group is used. Make sure that you set the capacity to an appropriate value based on your use case.
You must specify the capacity and type when you create an address group.
If an address group added to the firewall policy rule does not exist, the address group filter is removed from the rule. For more information about how to add source or destination address groups to firewall policy rules, see Sources and Destinations.
Types of address groups
Address groups are classified based on their scope. The scope identifies the level at which the address group is applicable in the resource hierarchy. Address groups are categorized into the following types:
An address group can be either project-scoped or organization-scoped, but not both.
Organization-scoped address groups can be used in hierarchical firewall policies, global network firewall policies, and regional network firewall policies. Project-scoped address groups can only be used in global network firewall policies and regional network firewall policies.
For both types of address groups, the location of the address group must match with the location of the firewall policy.
Project-scoped address groups
Use project-scoped address groups when you want to define your own list of IP addresses to be used within a project or a network to block or allow a list of changing IP addresses. For example, if you want to define your own threat intelligence list and add it to the firewall policy rule, create an address group with the required IP addresses.
You can use project-scoped address groups in the firewall rules for network
firewall policies. The container type for project-scoped address groups is
always set to project
. For more information about how to create and modify
project-scoped address groups, see Use project-scoped address groups.
Organization-scoped address groups
Use organization-scoped address groups when you want to define a central list of IP addresses that can be used in high-level firewall rules to provide consistent control for the entire organization and reduce the overhead for individual network and project owners to maintain common lists, such as trusted services and internal IP addresses.
You can use organization-scoped address groups in the firewall rules for
hierarchical firewall policies and network firewall policies. The container type
for organization-scoped address groups is always set to organization
. For more
information about how to create and modify organization-scoped address groups,
see Use organization-scoped address groups.
IAM roles
To create and manage an address group, you need the
Network Administrator role (compute.networkAdmin
)
or the Security Administrator role (compute.securityAdmin
). You can also define
a custom role with an equivalent set of permissions.
The following table provides a list of Identity and Access Management (IAM) permissions required to perform a set of tasks on address groups.
Task | IAM role name | IAM permissions |
---|---|---|
Create and manage address groups | compute.networkAdmin
|
networksecurity.addressGroups.* |
Discover and view address groups | compute.networkUser |
networksecurity.addressGroups.list
|
For more information about which roles include specific IAM permissions, see IAM permissions reference.