Create and manage firewall endpoint associations

This page explains how to create and manage firewall endpoint associations by using the Google Cloud console and Google Cloud CLI.

When you associate a firewall endpoint with one or more Virtual Private Cloud (VPC) networks, you create the association in the same zone of the firewall endpoint. You can also associate firewall endpoints in different zones to a VPC network.

Before you begin

Roles

To get the permissions that you need to create, view, update, or delete firewall endpoint associations, ask your administrator to grant you the necessary IAM roles on your organization and project. For more information about granting roles, see Manage access.

Quotas

To view quotas for firewall endpoint associations, see Quotas and limits.

Create firewall endpoint associations

Google Cloud console lets you create firewall endpoint associations for any of the following:

All these options create the same association. The only difference between associations created in the Google Cloud console is where you begin the process of creating them. For associations created by using the gcloud CLI, the process is the same for all of the firewall endpoint associations.

Create firewall endpoint associations for a VPC network

You can associate one or more firewall endpoints to a specific VPC network. Each of the associated firewall endpoints belongs to a different zone within the VPC network.

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Click the name of a VPC network to show its VPC network details page.

  3. Select the Firewall endpoints tab.

  4. Click Create endpoint association.

  5. In the Region list, select the region where you want to create the firewall endpoint association.

  6. In the Zone list, select the zone where you want to create the firewall endpoint association.

  7. In the Firewall endpoint list, select the firewall endpoint that you want to associate with this VPC network.

  8. In the TLS inspection policy list, select the TLS inspection policy that you want to add to this VPC network.

  9. Click Create.

gcloud

To create a firewall endpoint association, use the gcloud network-security firewall-endpoint-associations create command:

gcloud network-security firewall-endpoint-associations \
   create NAME \
   --endpoint organization/ORGANIZATION_ID/locations/ZONE/firewallEndpoints/FIREWALL_ENDPOINT_NAME \
   --network projects/PROJECT_NAME/global/networks/NETWORK_NAME \
   --zone ZONE \
   --project PROJECT_ID \
   --tls-inspection-policy  projects/TLS_PROJECT_NAME/locations/REGION_NAME/tlsInspectionPolicies/TLS_POLICY_NAME

Replace the following:

  • NAME: the name of the firewall endpoint association.

  • ORGANIZATION_ID: the organization identifier where the firewall endpoint is created.

  • ZONE: the zone of the firewall endpoint.

  • FIREWALL_ENDPOINT_NAME: the name of the firewall endpoint.

  • PROJECT_NAME: the Google Cloud project name of the network.

  • NETWORK_NAME: the name of the network.

  • PROJECT_ID: the Google Cloud project ID where the association is created.

  • TLS_PROJECT_NAME: the Google Cloud project name of the TLS inspection policy.

  • REGION_NAME: the region name of the TLS inspection policy.

  • TLS_POLICY_NAME: the name of the TLS inspection policy.

    This policy is used for the TLS inspection of the encrypted traffic on the specified network. This is an optional argument.

Create firewall endpoint associations for a firewall endpoint

You can associate one or more VPC networks to a specific firewall endpoint in the same zone.

Console

  1. In the Google Cloud console, go to the Firewall endpoints page.

    Go to Firewall endpoints

  2. In the project selector menu, select your organization.

  3. Click the firewall endpoint to view its details.

  4. Click Create endpoint association.

  5. Click Add endpoint association.

  6. In the Project list, select the Google Cloud project where you want to create the firewall endpoint association.

    If the Compute Engine API and Network Security API are not enabled for the Google Cloud project, click Enable.

  7. In the Network list, select the network that you want to associate to the firewall endpoint.

  8. In the TLS inspection policy list, select the TLS inspection policy that you want to add to this association.

  9. To add another association, click Add endpoint association.

  10. Click Create.

gcloud

To create a firewall endpoint association, use the gcloud network-security firewall-endpoint-associations create command:

gcloud network-security firewall-endpoint-associations \
   create NAME \
   --endpoint organization/ORGANIZATION_ID/locations/ZONE/firewallEndpoints/FIREWALL_ENDPOINT_NAME \
   --network projects/PROJECT_NAME/global/networks/NETWORK_NAME \
   --zone ZONE \
   --project PROJECT_ID \
   --tls-inspection-policy projects/TLS_PROJECT_NAME/locations/REGION_NAME/tlsInspectionPolicies/TLS_POLICY_NAME

Replace the following:

  • NAME: the name of the firewall endpoint association.
  • ORGANIZATION_ID: the organization identifier where the firewall endpoint is created.

  • ZONE: the zone of the firewall endpoint.

  • FIREWALL_ENDPOINT_NAME: the name of the firewall endpoint.

  • PROJECT_NAME: the Google Cloud project name of the network.

  • NETWORK_NAME: the name of the network.

  • PROJECT_ID: the Google Cloud project ID where the association is created.

  • TLS_PROJECT_NAME: the Google Cloud project name of the TLS inspection policy.

  • REGION_NAME: the region name of the TLS inspection policy.

  • TLS_POLICY_NAME: the name of the TLS inspection policy.

    This policy is used for the TLS inspection of the encrypted traffic on the specified network. This is an optional argument.

Create firewall endpoint associations in a project

You can add multiple firewall endpoint associations to a specific project.

Console

  1. In the Google Cloud console, go to the Firewall endpoints page.

    Go to Firewall endpoints

  2. In the project selector menu, select your Google Cloud project.

  3. Click Create endpoint association.

  4. In the Region list, select the region where you want to create the firewall endpoint association.

  5. In the Zone list, select the zone where you want to create the firewall endpoint association.

  6. In the Firewall endpoint list, select the firewall endpoint that you want to add to the association.

  7. In the Network list, select the network that you want to add to the association.

  8. In the TLS inspection policy, select the TLS inspection policy that you want to add to this association.

  9. Click Create.

gcloud

To create a firewall endpoint association, use the gcloud network-security firewall-endpoint-associations create command:

gcloud network-security firewall-endpoint-associations \
   create NAME \
   --endpoint organization/ORGANIZATION_ID/locations/ZONE/firewallEndpoints/FIREWALL_ENDPOINT_NAME \
   --network projects/PROJECT_NAME/global/networks/NETWORK_NAME \
   --zone ZONE \
   --project PROJECT_ID \
   --tls-inspection-policy projects/TLS_PROJECT_NAME/locations/REGION_NAME/tlsInspectionPolicies/TLS_POLICY_NAME

Replace the following:

  • NAME: the name of the firewall endpoint association.

  • ORGANIZATION_ID: the organization identifier where the firewall endpoint is created.

  • ZONE: the zone of the firewall endpoint.

  • FIREWALL_ENDPOINT_NAME: the name of the firewall endpoint.

  • PROJECT_NAME: the Google Cloud project name of the network.

  • NETWORK_NAME: the name of the network.

  • PROJECT_ID: the Google Cloud project ID where the association is created.

  • TLS_PROJECT_NAME: the Google Cloud project name of the TLS inspection policy.

  • REGION_NAME: the region name of the TLS inspection policy.

  • TLS_POLICY_NAME: the name of the TLS inspection policy.

    This policy is used for the TLS inspection of the encrypted traffic on the specified network. This is an optional argument.

View a firewall endpoint association

You can view the details of a specific firewall endpoint association in a zone.

gcloud

gcloud network-security firewall-endpoint-associations \
   describe NAME \
   --zone ZONE \
   --project PROJECT_ID

Replace the following:

  • NAME: the name of the firewall endpoint association.

  • ZONE: the zone of the firewall endpoint association.

  • PROJECT_ID: the Google Cloud project ID of the firewall endpoint association.

List firewall endpoint associations

You can list the firewall endpoint associations for a network, a project, or a firewall endpoint.

List all firewall endpoint associations for a VPC network

You can list all the firewall endpoint associations for a specific VPC network.

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Click the name of a VPC network to show its VPC network details page.

  3. Select the Firewall endpoints tab. The tab shows a list of configured firewall endpoint associations.

gcloud

To list firewall endpoint associations for a specific network, use the gcloud network-security firewall-endpoint-associations list command with the --filter flag:

gcloud network-security firewall-endpoint-associations list \
   --filter network:NETWORK_NAME \
   --project PROJECT_ID

Replace the following:

  • NETWORK_NAME: the name of the VPC network.
  • PROJECT_ID: the Google Cloud project ID of the firewall endpoint association.

List all firewall endpoint associations for a firewall endpoint

You can list all the associations of a specific firewall endpoint.

Console

  1. In the Google Cloud console, go to the Firewall endpoints page.

    Go to Firewall endpoints

  2. In the project selector menu, select your organization.

  3. Click the firewall endpoint to view its details.

    In the Firewall endpoint details page, the table lists all the configured firewall endpoint associations.

gcloud

To list firewall endpoint associations for a firewall endpoint, use the gcloud network-security firewall-endpoint-associations list command with the --zone flag:

gcloud network-security firewall-endpoint-associations list \
   --zone ZONE \
   --project PROJECT_ID

Replace the following:

  • ZONE: the zone of the firewall endpoint. To list firewall endpoint associations in all zones, use -.
  • PROJECT_ID: the Google Cloud project ID of the firewall endpoint association.

List all firewall endpoint associations in a project

You can list all the firewall endpoint associations in a specific project.

Console

  1. In the Google Cloud console, go to the Firewall endpoints page.

    Go to Firewall endpoints

  2. In the project selector menu, select your Google Cloud project.

    In the Firewall endpoint associations section, the table lists all the configured firewall endpoint associations for this project.

gcloud

To list firewall endpoint associations in a project, use the gcloud network-security firewall-endpoint-associations list command:

gcloud network-security firewall-endpoint-associations list \
   --project PROJECT_ID

Replace the following:

  • PROJECT_ID: the Google Cloud project ID of the firewall endpoint association.

Edit firewall endpoint associations

Google Cloud console lets you edit firewall endpoint associations for a network, a project, or a firewall endpoint. The gcloud CLI instructions to edit firewall endpoint associations are the same for all these options.

Edit a firewall endpoint association for a VPC network

You can edit a firewall endpoint association for a specific zone in a VPC network.

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Click the name of a VPC network to show its VPC network details page.

  3. Select the Firewall endpoints tab. The tab shows a list of configured firewall endpoint associations.

  4. Click Edit next to the firewall endpoint association that you want to update.

  5. To disable the firewall endpoint association, clear the Enable association checkbox.

  6. To update the TLS inspection policy, select a new policy from the TLS inspection policy list.

  7. Click Save.

gcloud

To update a firewall endpoint association, use the gcloud network-security firewall-endpoint-associations update command:

gcloud network-security firewall-endpoint-associations
    update NAME \
    --zone ZONE \
    --project PROJECT_ID \
    --disabled \
    --tls-inspection-policy projects/TLS_PROJECT_NAME/locations/REGION_NAME/tlsInspectionPolicies/TLS_POLICY_NAME

Replace the following:

  • NAME: the name of the firewall endpoint association.

  • ZONE: the zone of the firewall endpoint association.

  • PROJECT_ID: the Google Cloud project ID where the association is created.

  • TLS_PROJECT_NAME: the Google Cloud project name of the TLS inspection policy.

  • REGION_NAME: the region name of the TLS inspection policy.

  • TLS_POLICY_NAME: the name of the TLS inspection policy.

Edit a firewall endpoint association for a firewall endpoint

You can edit an association for a specific firewall endpoint.

Console

  1. In the Google Cloud console, go to the Firewall endpoints page.

    Go to Firewall endpoints

  2. In the project selector menu, select your organization.

  3. Click the firewall endpoint to view its details.

    In the Firewall endpoint details page, the table lists all the configured firewall endpoint associations.

  4. Click Edit next to the firewall endpoint association that you want to update.

  5. To disable the firewall endpoint association, clear the Enable association checkbox.

  6. To update the TLS inspection policy, select a new policy from the TLS inspection policy list.

  7. Click Save.

gcloud

To update a firewall endpoint association, use the gcloud network-security firewall-endpoint-associations update command:

gcloud network-security firewall-endpoint-associations
    update NAME \
    --zone ZONE \
    --project PROJECT_ID \
    --disabled \
    --tls-inspection-policy projects/TLS_PROJECT_NAME/locations/REGION_NAME/tlsInspectionPolicies/TLS_POLICY_NAME

Replace the following:

  • NAME: the name of the firewall endpoint association.

  • ZONE: the zone of the firewall endpoint association.

  • PROJECT_ID: the Google Cloud project ID where the association is created.

  • TLS_PROJECT_NAME: the Google Cloud project name of the TLS inspection policy.

  • REGION_NAME: the region name of the TLS inspection policy.

  • TLS_POLICY_NAME: the name of the TLS inspection policy.

Edit a firewall endpoint association in a project

You can edit a firewall endpoint association in a specific project.

Console

  1. In the Google Cloud console, go to the Firewall endpoints page.

    Go to Firewall endpoints

  2. In the project selector menu, select your Google Cloud project.

    In the Firewall endpoint associations section, the table lists all the configured firewall endpoint associations for this project.

  3. Next to the firewall endpoint association that you want to update, click Edit.

  4. To disable the firewall endpoint association, clear the Enable association checkbox.

  5. To update the TLS inspection policy, select a new policy from the TLS inspection policy list.

  6. Click Save.

gcloud

To update a firewall endpoint association, use the gcloud network-security firewall-endpoint-associations update command:

gcloud network-security firewall-endpoint-associations
    update NAME \
    --zone ZONE \
    --project PROJECT_ID \
    --disabled \
    --tls-inspection-policy projects/TLS_PROJECT_NAME/locations/REGION_NAME/tlsInspectionPolicies/TLS_POLICY_NAME

Replace the following:

  • NAME: the name of the firewall endpoint association.

  • ZONE: the zone of the firewall endpoint association.

  • PROJECT_ID: the Google Cloud project ID where the association is created.

  • TLS_PROJECT_NAME: the Google Cloud project name of the TLS inspection policy.

  • REGION_NAME: the region name of the TLS inspection policy.

  • TLS_POLICY_NAME: the name of the TLS inspection policy.

Delete a firewall endpoint association

Google Cloud console lets you delete the firewall endpoint associations from a network, a project, or a firewall endpoint.

When a Google Cloud project is deleted, its associated firewall endpoint associations are automatically removed. This deletion is irreversible, even if the project is later restored.

However, the deletion process for these associations might sometimes fail. If this happens and the project is restored, the associated firewall endpoints appear in ORPHAN state within the restored project. This indicates the broken link between the project and its resources due to the unsuccessful deletion.

You can view these orphaned associations on the Google Cloud console, however, you cannot edit these associations. Cloud Next Generation Firewall runs a background process periodically that delete these orphaned resources.

Delete a firewall endpoint association for a VPC network

You can delete a firewall endpoint association for a specific zone in a VPC network.

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Click the name of a VPC network to show its VPC network details page.

  3. Select the Firewall endpoints tab. The tab shows a list of configured firewall endpoint associations.

  4. Select the firewall endpoint association, and then click Delete.

  5. Click Delete again to confirm.

gcloud

To delete a firewall endpoint association, use the gcloud network-security firewall-endpoint-associations delete command:

gcloud network-security firewall-endpoint-associations \
   delete NAME \
   --zone ZONE \
   --project PROJECT_ID

Replace the following:

  • NAME: the name of the firewall endpoint association.

  • ZONE: the zone of the firewall endpoint association.

  • PROJECT_ID: the Google Cloud project ID where the association is created.

Delete a firewall endpoint association for a firewall endpoint

You can delete an association for a specific firewall endpoint.

Console

  1. In the Google Cloud console, go to the Firewall endpoints page.

    Go to Firewall endpoints

  2. In the project selector menu, select your organization.

  3. Click the firewall endpoint to view its details.

    In the Firewall endpoint details page, the table lists all the configured firewall endpoint associations.

  4. Select the firewall endpoint association, and then click Delete.

  5. Click Delete again to confirm.

gcloud

To delete a firewall endpoint association, use the gcloud network-security firewall-endpoint-associations delete command:

gcloud network-security firewall-endpoint-associations \
   delete NAME \
   --zone ZONE \
   --project PROJECT_ID

Replace the following:

  • NAME: the name of the firewall endpoint association.

  • ZONE: the zone of the firewall endpoint association.

  • PROJECT_ID: the Google Cloud project ID where the association is created.

Delete a firewall endpoint association in a project

You can delete a firewall endpoint association in a specific project.

Console

  1. In the Google Cloud console, go to the Firewall endpoints page.

    Go to Firewall endpoints

  2. In the project selector menu, select your Google Cloud project.

    In the Firewall endpoint associations section, the table lists all the configured firewall endpoint associations for this project.

  3. Select the firewall endpoint association, and then click Delete.

  4. Click Delete again to confirm.

gcloud

To delete a firewall endpoint association, use the gcloud network-security firewall-endpoint-associations delete command:

gcloud network-security firewall-endpoint-associations \
   delete NAME \
   --zone ZONE \
   --project PROJECT_ID

Replace the following:

  • NAME: the name of the firewall endpoint association.

  • ZONE: the zone of the firewall endpoint association.

  • PROJECT_ID: the Google Cloud project ID where the association is created.

What's next