Global and regional network firewall policy examples

This page shows examples of global network firewall policy and regional network firewall policy implementations. It assumes that you are familiar with the concepts described in Global network firewall policies and Regional network firewall policies.

You can attach one global network firewall policy and multiple regional network firewall policies to a Virtual Private Cloud (VPC) network. A global network firewall policy applies to all subnetworks in all regions of the VPC network. A regional network firewall policy applies to only the subnetworks of the VPC network in the target region.

Figure 1 describes the scope of a global network firewall policy and a regional network firewall policy in a VPC network.

Figure 1. Scope of global and regional network firewall policies. — **Figure 1.** Scope of global and regional network firewall policies.

Example: Deny all external connections except to specific ports

In this use case, a global network firewall policy blocks all connections from external internet sources except for connections on destination ports 80, 443, and 22. An ingress internet connection on ports other than 80, 443, or 22 is blocked. The rules enforcement is delegated to the regional network firewall policy for any connections on ports 80, 443, or 22.

In this example, a regional network firewall policy applies to region-a, which allows internal traffic from source 10.2.0.0/16 and ingress traffic to ports 443 and 80 from any source. Figure 2 describes the configuration setup for this use case.

Figure 2. Deny all external connections except to specific destination ports. — **Figure 2.** Deny all external connections except to specific destination ports.

Effective policy applied in VMs

This section describes the effective network firewall policy applicable in this example after evaluating the rules across the hierarchy.

Ingress connections

Any ingress connections from 10.0.0.0/8 match the highest priority global network firewall policy rule delegate-internal-traffic and bypass the rest of the rules in the global network firewall policy. In the regional network firewall policy rule, ingress connections from 10.2.0.0/16 are allowed, and the rest of the connections are evaluated against the implied ingress deny rule.
Ingress connections with a source IP range other than 10.0.0.0/8, and destination ports 22, 80, and 443, are delegated to the regional network firewall policy rule level. In the regional network firewall policy rule, ports 80 and 443 are allowed, but port 22 is not.

Egress connection

There is no match across the global network firewall policy rules. Therefore, the implicit system rules apply, which allows egress connections.

How to configure

Create a global network firewall policy that contains the following rule:

gcloud compute network-firewall-policies create \
    "example-firewall-policy-global" --global \
    --description "Global network firewall policy with rules that apply to all VMs in the VPC network"

Associate the policy with the VPC network:

gcloud compute network-firewall-policies associations create \
    --firewall-policy example-firewall-policy-global \
    --network my-example-vpc \
    --global-firewall-policy

Add a rule to match any ingress connections from 10.0.0.0/8:

gcloud compute network-firewall-policies rules create 1000 \
    --action goto_next \
    --description "delegate-internal-traffic" \
    --layer4-configs all \
    --firewall-policy example-firewall-policy-global \
    --src-ip-ranges 10.0.0.0/8 \
    --global-firewall-policy

Add a rule to delegate external traffic from specific ports:

gcloud compute network-firewall-policies rules create 2000 \
    --action goto_next \
    --description "delegate-external-traffic-spec-ports" \
    --layer4-configs tcp:80,tcp:443,tcp:22 \
    --firewall-policy example-firewall-policy-global \
    --src-ip-ranges 0.0.0.0/0 \
    --global-firewall-policy

Add a rule to block all remaining ingress traffic:

gcloud compute network-firewall-policies rules create 3000 \
    --action deny \
    --description "block-external-traffic-spec-ports" \
    --firewall-policy example-firewall-policy-global \
    --src-ip-ranges 0.0.0.0/0 \
    --layer4-configs all \
    --global-firewall-policy

Create a regional network firewall policy:

gcloud compute network-firewall-policies create \
    example-firewall-policy-regional --region=region-a \
    --description "Regional network firewall policy with rules that apply to all VMs in region-a"

Associate the regional network firewall policy with a VPC network to activate the policy rules for any VMs within that network within a specific region:

gcloud compute network-firewall-policies associations create \
    --firewall-policy example-firewall-policy-regional \
    --network my-example-vpc \
    --firewall-policy-region=region-a

Add a rule to allow internal traffic for the regional network firewall policy:

gcloud compute network-firewall-policies rules create 1000 \
    --action allow \
    --firewall-policy example-firewall-policy-regional \
    --description allow-internal-traffic \
    --direction INGRESS \
    --src-ip-ranges 10.2.0.0/16 \
    --layer4-configs all \
    --firewall-policy-region=region-a

Add a rule to allow external traffic from specific ports:

gcloud compute network-firewall-policies rules create 2000 \
    --action allow \
    --firewall-policy example-firewall-policy-regional \
    --description allow-external-traffic-spec-ports \
    --direction INGRESS \
    --layer4-configs=tcp:80,tcp:443 \
    --src-ip-ranges 0.0.0.0/0 \
    --firewall-policy-region=region-a

What's next

To create and modify global network firewall policies and rules, see Use global network firewall policies and rules.
To create and modify regional network firewall policies and rules, see Use regional network firewall policies and rules.