Create and manage firewall endpoints

This page explains how to configure and manage a firewall endpoint and associate it with a Virtual Private Cloud (VPC) network by using the Google Cloud console and Google Cloud CLI.

You create a firewall endpoint at a zonal level, and then associate it with one or more VPC networks in the same zone. If you have enabled Layer 7 inspection in the firewall policy associated with your VPC network, the matched traffic is transparently intercepted and forwarded to the firewall endpoint.

Before you begin

Roles

To get the permissions that you need to create, view, update, or delete firewall endpoints, ask your administrator to grant you the necessary IAM roles on your organization. For more information about granting roles, see Manage access.

Quotas

To view quotas for firewall endpoints and associations, see Quotas and limits.

Create a firewall endpoint

Create a firewall endpoint in a specific zone.

Console

  1. In the Google Cloud console, go to the Firewall endpoints page.

    Go to Firewall endpoints

  2. In the project selector menu, select your organization.

  3. Click Create.

  4. In the Region list, select the region where you want to create the firewall endpoint.

  5. In the Zone list, select the zone where you want to create the firewall endpoint.

  6. Enter a name in the Name field.

  7. In the Billing project list, select the Google Cloud project that you want to use for billing the firewall endpoint.

  8. Click Continue.

  9. If you want to add a firewall endpoint association, click Add endpoint association, else skip this step.

    1. In the Project list, select the Google Cloud project where you want to create the firewall endpoint association.
    2. If the Compute Engine API or Network Security API are not enabled for the Google Cloud project, click Enable.
    3. In the Network list, select the network that you want to associate to the firewall endpoint.
    4. In the TLS inspection policy list, select the TLS inspection policy that you want to add to this association.
    5. To add another association, click Add endpoint association.
  10. Click Create.

gcloud

To create a firewall endpoint, use the gcloud network-security firewall-endpoints create command:

gcloud network-security firewall-endpoints create NAME \
   --organization ORGANIZATION_ID \
   --zone ZONE \
   --billing-project BILLING_PROJECT_ID

Replace the following:

  • NAME: the name of the firewall endpoint.

  • ORGANIZATION_ID: the organization where the endpoint is activated.

  • ZONE: the zone where the endpoint is activated.

  • BILLING_PROJECT_ID: a Google Cloud project ID to be used for billing of the firewall endpoint.

To associate the firewall endpoint to a VPC network, see Create firewall endpoint associations.

View a firewall endpoint

You can view the details of a specific firewall endpoint.

Console

  1. In the Google Cloud console, go to the Firewall endpoints page.

    Go to Firewall endpoints

  2. In the project selector menu, select your organization.

    The Firewall endpoints page lists all the configured firewall endpoints in the organization.

  3. Click the name of the firewall endpoint to view its details.

gcloud

To view details of a firewall endpoint, use the gcloud network-security firewall-endpoints describe command:

gcloud network-security firewall-endpoints \
   describe NAME \
   --organization ORGANIZATION_ID \
   --zone ZONE

Replace the following:

  • NAME: the name of the firewall endpoint.

  • ORGANIZATION_ID: the organization where the endpoint is activated.

  • ZONE: the zone where the endpoint is activated.

List firewall endpoints

You can list all the firewall endpoints in an organization.

Console

  1. In the Google Cloud console, go to the Firewall endpoints page.

    Go to Firewall endpoints

  2. The Firewall endpoints page lists all the configured firewall endpoints in the organization.

gcloud

To list all firewall endpoints, use the gcloud network-security firewall-endpoints list command:

gcloud network-security firewall-endpoints list \
   --organization ORGANIZATION_ID \
   --zone ZONE \
   --billing-project BILLING_PROJECT_ID

Replace the following:

  • ORGANIZATION_ID: the organization where the endpoint is activated.

  • ZONE: the zone where the endpoint is activated. To list endpoints in all zones, use -.

  • BILLING_PROJECT_ID: an optional Google Cloud project ID that will be charged quota for the operation.

Edit a firewall endpoint

You can update the billing project of a firewall endpoint in an organization.

Console

  1. In the Google Cloud console, go to the Firewall endpoints page.

    Go to Firewall endpoints

  2. In the project selector menu, select your organization.

    The Firewall endpoints page lists all the configured firewall endpoints in the organization.

  3. Click the name of the firewall endpoint to view its details.

  4. Click Edit.

  5. In the Billing project list, select the Google Cloud project that you want to use for billing the firewall endpoint.

  6. Click Save.

gcloud

To edit a firewall endpoint, use the gcloud network-security firewall-endpoints edit command:

gcloud network-security firewall-endpoints \
   update NAME \
   --organization ORGANIZATION_ID \
   --zone ZONE \
   --billing-project BILLING_PROJECT_ID

Replace the following:

  • NAME: the name of the firewall endpoint.

  • ORGANIZATION_ID: the organization where the endpoint is activated.

  • ZONE: the zone where the endpoint is activated.

  • BILLING_PROJECT_ID: the Google Cloud project ID that you want to associate with this firewall endpoint for billing.

Delete a firewall endpoint

You can delete a firewall endpoint by specifying its name, zone, and organization.

Console

  1. In the Google Cloud console, go to the Firewall endpoints page.

    Go to Firewall endpoints

  2. Select the firewall endpoint, and then click Delete.

  3. Click Delete again to confirm.

gcloud

To delete a firewall endpoint, use the gcloud network-security firewall-endpoints delete command:

gcloud network-security firewall-endpoints delete NAME
   --organization ORGANIZATION_ID \
   --zone ZONE

Replace the following:

  • NAME: the name of the firewall endpoint.

  • ORGANIZATION_ID: the organization where the endpoint is activated.

  • ZONE: the zone where the endpoint is activated.

What's next