This page explains how to configure and manage a firewall endpoint and associate it with a Virtual Private Cloud (VPC) network by using the Google Cloud console and Google Cloud CLI.
You create a firewall endpoint at a zonal level, and then associate it with one or more VPC networks in the same zone. If you have enabled Layer 7 inspection in the firewall policy associated with your VPC network, the matched traffic is transparently intercepted and forwarded to the firewall endpoint.
Before you begin
You need a VPC network and a subnet.
You must enable the Compute Engine API in your Google Cloud project.
You must enable the Network Security API in the Google Cloud project that you want to use for billing.
You must enable the Certificate Authority Service API in your Google Cloud project.
Install the gcloud CLI if you want to run the
gcloudcommand-line examples in this guide.
Roles
To get the permissions that you need to create, view, update, or delete firewall endpoints, ask your administrator to grant you the necessary IAM roles on your organization. For more information about granting roles, see Manage access.
Quotas
To view quotas for firewall endpoints and associations, see Quotas and limits.
Create a firewall endpoint
Create a firewall endpoint in a specific zone.
Console
In the Google Cloud console, go to the Firewall endpoints page.
In the project selector menu, select your organization.
Click Create.
In the Region list, select the region where you want to create the firewall endpoint.
In the Zone list, select the zone where you want to create the firewall endpoint.
Enter a name in the Name field.
In the Billing project list, select the Google Cloud project that you want to use for billing the firewall endpoint.
Click Continue.
If you want to add a firewall endpoint association, click Add endpoint association, else skip this step.
- In the Project list, select the Google Cloud project where you want to create the firewall endpoint association.
- If the Compute Engine API or Network Security API are not enabled for the Google Cloud project, click Enable.
- In the Network list, select the network that you want to associate to the firewall endpoint.
- In the TLS inspection policy list, select the TLS inspection policy that you want to add to this association.
- To add another association, click Add endpoint association.
Click Create.
gcloud
To create a firewall endpoint, use the
gcloud network-security firewall-endpoints create command:
gcloud network-security firewall-endpoints create NAME \ --organization ORGANIZATION_ID \ --zone ZONE \ --billing-project BILLING_PROJECT_ID
Replace the following:
NAME: the name of the firewall endpoint.ORGANIZATION_ID: the organization where the endpoint is activated.ZONE: the zone where the endpoint is activated.BILLING_PROJECT_ID: a Google Cloud project ID to be used for billing of the firewall endpoint.
To associate the firewall endpoint to a VPC network, see Create firewall endpoint associations.
View a firewall endpoint
You can view the details of a specific firewall endpoint.
Console
In the Google Cloud console, go to the Firewall endpoints page.
In the project selector menu, select your organization.
The Firewall endpoints page lists all the configured firewall endpoints in the organization.
Click the name of the firewall endpoint to view its details.
gcloud
To view details of a firewall endpoint, use the
gcloud network-security firewall-endpoints describe command:
gcloud network-security firewall-endpoints \ describe NAME \ --organization ORGANIZATION_ID \ --zone ZONE
Replace the following:
NAME: the name of the firewall endpoint.ORGANIZATION_ID: the organization where the endpoint is activated.ZONE: the zone where the endpoint is activated.
List firewall endpoints
You can list all the firewall endpoints in an organization.
Console
In the Google Cloud console, go to the Firewall endpoints page.
The Firewall endpoints page lists all the configured firewall endpoints in the organization.
gcloud
To list all firewall endpoints, use the
gcloud network-security firewall-endpoints list command:
gcloud network-security firewall-endpoints list \ --organization ORGANIZATION_ID \ --zone ZONE \ --billing-project BILLING_PROJECT_ID
Replace the following:
ORGANIZATION_ID: the organization where the endpoint is activated.ZONE: the zone where the endpoint is activated. To list endpoints in all zones, use-.BILLING_PROJECT_ID: an optional Google Cloud project ID that will be charged quota for the operation.
Edit a firewall endpoint
You can update the billing project of a firewall endpoint in an organization.
Console
In the Google Cloud console, go to the Firewall endpoints page.
In the project selector menu, select your organization.
The Firewall endpoints page lists all the configured firewall endpoints in the organization.
Click the name of the firewall endpoint to view its details.
Click Edit.
In the Billing project list, select the Google Cloud project that you want to use for billing the firewall endpoint.
Click Save.
gcloud
To edit a firewall endpoint, use the
gcloud network-security firewall-endpoints edit command:
gcloud network-security firewall-endpoints \ update NAME \ --organization ORGANIZATION_ID \ --zone ZONE \ --billing-project BILLING_PROJECT_ID
Replace the following:
NAME: the name of the firewall endpoint.ORGANIZATION_ID: the organization where the endpoint is activated.ZONE: the zone where the endpoint is activated.BILLING_PROJECT_ID: the Google Cloud project ID that you want to associate with this firewall endpoint for billing.
Delete a firewall endpoint
You can delete a firewall endpoint by specifying its name, zone, and organization.
Console
In the Google Cloud console, go to the Firewall endpoints page.
Select the firewall endpoint, and then click Delete.
Click Delete again to confirm.
gcloud
To delete a firewall endpoint, use the
gcloud network-security firewall-endpoints delete command:
gcloud network-security firewall-endpoints delete NAME --organization ORGANIZATION_ID \ --zone ZONE
Replace the following:
NAME: the name of the firewall endpoint.ORGANIZATION_ID: the organization where the endpoint is activated.ZONE: the zone where the endpoint is activated.
What's next
- Create and manage firewall endpoint associations
- Use hierarchical firewall policies and rules
- Use global network firewall policies and rules