Firewall policies

Firewall policies let you group several firewall rules so that you can update them all at once, effectively controlled by Identity and Access Management (IAM) roles. These policies contain rules that can explicitly deny or allow connections, as do Virtual Private Cloud (VPC) firewall rules.

Hierarchical firewall policies

Hierarchical firewall policies let you group rules into a policy object that can apply to many VPC networks in one or more projects. You can associate hierarchical firewall policies with an entire organization or individual folders.

For hierarchical firewall policy specifications and details, see Hierarchical firewall policies.

Global network firewall policies

Global network firewall policies let you group rules into a policy object applicable to all regions (global). After you associate a global network firewall policy with a VPC network, the rules in the policy can apply to resources in the VPC network.

For global network firewall policy specifications and details, see Global network firewall policies.

Regional network firewall policies

Regional network firewall policies let you group rules into a policy object applicable to a specific region. After you associate a regional network firewall policy with a VPC network, the rules in the policy can apply to resources within that region of the VPC network.

For regional firewall policy specifications and details, see Regional network firewall policies.

Policy and rule evaluation order

Rules in hierarchical firewall policies, global network firewall policies, regional network firewall policies, and VPC firewall rules are implemented as part of the VM packet processing of the Andromeda network virtualization stack. Rules are evaluated for each network interface (NIC) of the VM.

The applicability of a rule doesn't depend on the specificity of its protocols and ports configuration. For example, a higher priority allow rule for all protocols takes precedence over a lower priority deny rule specific to TCP port 22.

In addition, the applicability of a rule doesn't depend on the specificity of the target parameter. For example, a higher priority allow rule for all VMs (all targets) takes precedence even if a lower priority deny rule exists with a more specific target parameter; for example—a specific service account or tag.

By default, and when the networkFirewallPolicyEnforcementOrder of the VPC network used by the VM's NIC is AFTER_CLASSIC_FIREWALL, Google Cloud evaluates rules applicable to the VM's NIC in the following order:

1. If a hierarchical firewall policy is associated with the organization that contains the VM's project, Google Cloud evaluates all applicable rules in the hierarchical firewall policy. Because rules in hierarchical firewall policies must be unique, the highest priority rule that matches the direction of traffic and Layer 4 characteristics determines how the traffic is processed:
   • The rule can allow the traffic. The evaluation process stops.
   • The rule can deny the traffic. The evaluation process stops.
   • The rule can permit processing of rules defined as described in the next steps if either of the following is true:
     • A rule with a goto_next action matches the traffic.
     • No rules match the traffic. In this case, an implied goto_next rule applies.
2. If a hierarchical firewall policy is associated with the most distant (top) folder ancestor of the VM's project, Google Cloud evaluates all applicable rules in the hierarchical firewall policy for that folder. Because rules in hierarchical firewall policies must be unique, the highest priority rule that matches the direction of traffic and Layer 4 characteristics determines how the traffic is processed—allow, deny, or goto_next—as described in the first step.
3. Google Cloud repeats the actions of the previous step for a hierarchical firewall policy associated with the next folder that is closer to the VM's project in the resource hierarchy. Google Cloud first evaluates rules in hierarchical firewall policies associated with the most distant folder ancestor (closest to the organization node), and then evaluates rules in hierarchical firewall policies associated with the next (child) folder closer to the VM's project.

4. If VPC firewall rules exist in the VPC network used by the VM's NIC, Google Cloud evaluates all applicable VPC firewall rules.

   Unlike rules in firewall policies:

   • VPC firewall rules have no explicit goto_next action. A VPC firewall rule can only be configured to allow or deny traffic.

   • Two or more VPC firewall rules in a VPC network can share the same priority number. In that situation, deny rules take precedence over allow rules. For additional details about VPC firewall rules priority, see Priority in the VPC firewall rules documentation.

   If no VPC firewall rule applies to the traffic, Google Cloud continues to the next step—implied goto_next.

5. If a global network firewall policy is associated with the VPC network of the VM's NIC, Google Cloud evaluates all applicable rules in the firewall policy. Because rules in firewall policies must be unique, the highest priority rule that matches the direction of traffic and Layer 4 characteristics determines how the traffic is processed—allow, deny, or goto_next—as described in the first step.

6. If a regional network firewall policy is associated with the VPC network of the VM's NIC and region of the VM, Google Cloud evaluates all applicable rules in the firewall policy. Because rules in firewall policies must be unique, the highest priority rule that matches the direction of traffic and Layer 4 characteristics determines how the traffic is processed—allow, deny, or goto_next—as described in the first step.

7. As a final step in the evaluation, Google Cloud enforces the implied allow egress and implied deny ingress VPC firewall rules.

You can swap steps 4 and 5 in the evaluation process by setting the networkFirewallPolicyEnforcementOrder of the VPC network to BEFORE_CLASSIC_FIREWALL. For more details, see Networks.patch.

The following diagram shows the resolution flow for firewall rules.

Effective firewall rules

Hierarchical firewall policy rules, VPC firewall rules, and global and regional network firewall policy rules control connections. You may find it helpful to see all the firewall rules that affect an individual network or VM interface.

Network effective firewall rules

You can view all firewall rules applied to a VPC network. The list includes all of the following kinds of rules:

• Rules inherited from hierarchical firewall policies
• VPC firewall rules
• Rules applied from the global and regional network firewall policies

Instance effective firewall rules

You can view all firewall rules applied to a VM's network interface. The list includes all of the following kinds of rules:

• Rules inherited from hierarchical firewall policies
• Rules applied from the interface's VPC firewall
• Rules applied from the global and regional network firewall policies

The rules are ordered from the organization level down to the VPC network. Only rules that apply to the VM interface are shown. Rules in other policies are not shown.

To view the effective firewall policy rules within a region, see Get effective firewall policies for a network.

What's next

• To create and modify hierarchical firewall policies and rules, see Use hierarchical firewall policies.
• To see examples of hierarchical firewall policy implementations, see Hierarchical firewall policy examples.
• To create and modify global network firewall policies and rules, see Use global network firewall policies.
• To create and modify regional network firewall policies and rules, see Use regional network firewall policies.