This page explains how to configure and manage a firewall endpoint and associate it with a Virtual Private Cloud (VPC) network by using Google Cloud console and Google Cloud CLI.
You create a firewall endpoint at a zonal level, and then associate it with one or more VPC networks in the same zone. If you have enabled layer 7 inspection in the firewall policy associated with your VPC network, the matched traffic is transparently intercepted and forwarded to the firewall endpoint.
Before you begin
You need a VPC network and a subnet.
You must enable the Compute Engine API in your project.
You must enable the Network Security API in your project.
You must enable the Certificate Authority Service API in your project.
Install the gcloud CLI if you want to run the
gcloudcommand-line examples in this guide.You need a security profile group.
Roles
To get the permissions that you need to create, view, update, or delete security profile groups, ask your administrator to grant you the necessary IAM roles on your organization. For more information about granting roles, see Manage access.
Create a firewall endpoint
Create a firewall endpoint in a specific zone.
Console
In the Google Cloud console, go to the Firewall endpoints page.
In the project selector drop-down menu, select your organization.
Click Create.
In the Region list, select the region where you want to create the firewall endpoint.
In the Zone list, select the zone where you want to create the firewall endpoint.
Enter a name in the Name field.
Click Create.
gcloud
gcloud beta network-security firewall-endpoints create NAME \ --organization ORGANIZATION_ID \ --zone ZONE \ --billing-project BILLING_PROJECT_ID \ --no-async --max-wait MAX_WAIT
Replace the following:
NAME: the name of the firewall endpoint.ORGANIZATION_ID: the organization where the endpoint is activated.ZONE: the zone where the endpoint is activated.BILLING_PROJECT_ID: a project ID to be used for billing of the firewall endpoint.--no-async: an optional flag to determine if the command should wait for the operation in progress to complete for up to--max-waittime, before returning the operation ID. The default wait time is 60 minutes (60m).MAX_WAIT: an optional argument to define the maximum amount of time to wait for the operation to complete.
View a firewall endpoint
You can view the details of a specific firewall endpoint.
gcloud
gcloud beta network-security firewall-endpoints \ describe NAME \ --organization ORGANIZATION_ID \ --zone ZONE
Replace the following:
NAME: the name of the firewall endpoint.ORGANIZATION_ID: the organization where the endpoint is activated.ZONE: the zone where the endpoint is activated.
List firewall endpoints
You can list all the firewall endpoints in an organization.
Console
In the Google Cloud console, go to the Firewall endpoints page.
The Firewall endpoints page lists all the configured firewall endpoints in the organization.
gcloud
gcloud beta network-security firewall-endpoints list \ --organization ORGANIZATION_ID \ --zone ZONE \ --billing-project BILLING_PROJECT_ID
Replace the following:
ORGANIZATION_ID: the organization where the endpoint is activated.ZONE: the zone where the endpoint is activated.BILLING_PROJECT_ID: an optional project ID that will be charged quota for the operation.
Delete a firewall endpoint
You can delete a firewall endpoint by specifying its name, zone, and organization.
Console
In the Google Cloud console, go to the Firewall endpoints page.
Select the firewall endpoint, and then click Delete.
Click Delete again to confirm.
gcloud
gcloud beta network-security firewall-endpoints delete NAME --organization ORGANIZATION_ID \ --zone ZONE \ --no-async --max-wait MAX_WAIT
Replace the following:
NAME: the name of the firewall endpoint.ORGANIZATION_ID: the organization where the endpoint is activated.ZONE: the zone where the endpoint is activated.--no-async: an optional flag to determine if the command should wait for the operation in progress to complete for up to--max-waittime, before returning the operation ID. The default wait time is 60 minutes (60m).MAX_WAIT: an optional argument to define the maximum amount of time to wait for the operation to complete.
Create a firewall endpoint association
Create a firewall endpoint association to associate a VPC network with a firewall endpoint.
Console
In the Google Cloud console, go to the VPC networks page.
Click the name of a VPC network to show its VPC network details page.
Select the Firewall endpoint tab.
Click Add endpoint association.
In the Region list, select the region where you want to create the firewall endpoint association.
In the Zone list, select the zone where you want to create the firewall endpoint association.
In the Firewall endpoint list, select the firewall endpoint that you want to associate with this VPC network.
In the TLS inspection policy list, select the TLS inspection policy that you want to add to this VPC network.
Click Create.
gcloud
gcloud beta network-security firewall-endpoint-associations \ create NAME \ --endpoint FIREWALL_ENDPOINT_NAME \ --network NETWORK_NAME \ --zone ZONE \ --project PROJECT_ID \ --tls-inspection-policy TLS_POLICY_NAME \ --no-async --max-wait MAX_WAIT
Replace the following:
NAME: the name of the firewall endpoint association.FIREWALL_ENDPOINT_NAME: a fully qualified URL identifier of the firewall endpoint in the following format:organization/ORGANIZATION_ID/locations/ZONE/firewallEndpoints/FIREWALL_ENDPOINT_NAMENETWORK_NAME: a fully qualified URL identifier of the network in the following format:projects/PROJECT_NAME/global/networks/NETWORK_NAMEZONE: the zone in which to associate the network and firewall endpoint.PROJECT_ID: an optional project ID where the association is created.TLS_POLICY_NAME: a fully qualified URL identifier of the TLS inspection policy in the following format:projects/PROJECT_NAME/locations/LOCATION/tlsInspectionPolicies/TLS_POLICY_NAMEThis policy is used for the TLS inspection of the encrypted traffic on the specified network. This is an optional argument.
--no-async: an optional flag to determine if the command should wait for the operation in progress to complete for up to--max-waittime, before returning the operation ID. The default wait time is 60 minutes (60m).MAX_WAIT: an optional argument to define the maximum amount of time to wait for the operation to complete.
View a firewall endpoint association
You can view the details of a specific firewall endpoint association in a zone.
gcloud
gcloud beta network-security firewall-endpoint-association \ describe NAME \ --zone ZONE
Replace the following:
NAME: the name of the firewall endpoint association.ZONE: the zone of the firewall endpoint association.
List firewall endpoint associations
You can list all the firewall endpoint associations in a zone.
Console
In the Google Cloud console, go to the VPC networks page.
Click the name of a VPC network to show its VPC network details page.
Select the Firewall endpoint tab. The tab shows a list of configured firewall endpoint associations.
gcloud
gcloud beta network-security firewall-endpoint-association list \ --zone ZONE
Replace the following:
ZONE: the zone of the firewall endpoint association.
Delete a firewall endpoint association
You can delete a firewall endpoint association by specifying its name and zone.
Console
In the Google Cloud console, go to the VPC networks page.
Click the name of a VPC network to show its VPC network details page.
Select the Firewall endpoint tab. The tab shows a list of configured firewall endpoint associations.
Select an endpoint association, and then click Delete.
Click Delete again to confirm.
gcloud
gcloud beta network-security firewall-endpoint-association \ delete NAME \ --zone ZONE
Replace the following:
NAME: the name of the firewall endpoint association.ZONE: the zone of the firewall endpoint association.