To use address groups, you must first identify the scope of the address group relevant to your requirement. The scope identifies the level at which the address group is applicable in the resource hierarchy.
If you want to use an address group in a firewall policy rule that applies to an individual project, use a project-scoped address group.
If you want to use an address group in a firewall policy rule that is applicable throughout the hierarchy on all resources in an organization or network, use an organization-scoped address group.
Project-scoped address groups
This section provides detailed information about how to manage project-scoped address groups.
Project-scoped address groups are defined at the project level, and only apply to the project where they are created. To use an address group, you must associate it to a firewall rule in a global network firewall policy or regional network firewall policy. The location of the address group must be the same as the location of the firewall policy where it is used.
Create an address group
The container type
of the project-scoped address group is always set to projects.
When you create an address group, you can specify the name of the address group as a string or as a unique URL identifier. The unique URL for a project-scoped address group can be constructed in the following format:
projects/PROJECT_ID/locations/location/addressGroups/ADDRESS_GROUP_NAME
If you use a unique URL identifier for the address group name, the location of the address group is already included in the URL identifier. However, if you use only the address group name, you must specify the location separately. For more information about unique URL identifiers, see Address group specifications.
An address group can have IPv4 or IPv6 item types, but not both. You must also specify the maximum item capacity for an address group. After the address group is created, you cannot change the name, item type, or item capacity of the address group.
Console
In the Google Cloud console, go to the Address groups page.
In the project selector menu, select your project.
Click Create Address Group.
In the Name field, enter a name.
Optional: In the Description field, enter a description.
For Scope, choose Global or Regional.
If you choose Regional, specify the region where the address group is created.
For Type, select IPv4 or IPv6.
For Purpose, select Firewall.
If you want to use the address group in both Cloud Next Generation Firewall policies and Google Cloud Armor security policies, choose Cloud NGFW and Cloud Armor.
For more information about this field , see address group specification.
In the Capacity field, enter the capacity of the address group.
In the IP Addresses field, list the IP addresses or IP ranges that you want to include in the address group. For example,
1.1.1.0/24,1.2.0.0.Click Create.
gcloud
To create an address group, use the
gcloud network-security address-groups create command:
gcloud network-security address-groups create NAME \ --type TYPE \ --capacity CAPACITY \ --location LOCATION \ --description DESCRIPTION
Replace the following:
NAME: the name of the address group; you can specify the name as a string or as a unique URL identifierTYPE: the type of address group—IPv4 or IPv6CAPACITY: the capacity of the address groupLOCATION: the location of the address groupThis can be set to
globalor a region code (such aseurope-west). If you use a unique URL identifier for thenameparameter, you can omit thelocationparameter.DESCRIPTION: an optional description for the address group
Describe an address group
To view the details of an address group, you must specify the name and location of the address group.
Console
In the Google Cloud console, go to the Address groups page.
In the project selector menu, select your project.
The address groups are listed in the Address groups section.
To view the details, click the name of your address group.
gcloud
To describe an address group, use the
gcloud network-security address-groups describe command:
gcloud network-security address-groups describe NAME \
--location LOCATION
Update an address group
You cannot update the name, type, or capacity of the address group. You can only update the address group description and IP addresses.
Console
In the Google Cloud console, go to the Address groups page.
In the project selector menu, select your project.
The address groups are listed in the Address groups section.
To edit an address group, click the name of your address group.
Click Edit.
Modify the required fields.
Click Save.
gcloud
To update an address group, use the
gcloud network-security address-groups update command:
gcloud network-security address-groups update NAME \
--description DESCRIPTION \
--location LOCATION
List address groups
You can list all the address groups in a location.
Console
In the Google Cloud console, go to the Address groups page.
In the project selector menu, select your project.
The address groups are listed in the Address groups section.
gcloud
To list the address groups, use the
gcloud network-security address-groups list command:
gcloud network-security address-groups list \
--location LOCATION
Delete an address group
You can delete an address group by specifying its name and location. However, if the address group is referenced by a firewall policy, that address group cannot be deleted.
Console
In the Google Cloud console, go to the Address groups page.
In the project selector menu, select your project.
The address groups are listed in the Address groups section.
Select the checkbox next to the address group that you want to delete. Make sure that the selected address group is not referenced by any firewall policy.
Click Delete, and then click Delete again to confirm.
gcloud
To delete an address group in a project, use the
gcloud network-security address-groups delete command:
gcloud network-security address-groups delete NAME \ --location LOCATION
Find address group references
An address group is used by firewall policies. You can find the list of all the firewall policies that use a specific address group.
Console
In the Google Cloud console, go to the Address groups page.
In the project selector menu, select your project.
The address groups are listed in the Address groups section.
Click the name of your address group.
In the In use by field, the firewall policies that use this address group are listed in the following format:
POLICY_NAME(rule priority:PRIORITY_NUMBER)
gcloud
To list all the resources that reference a project-scoped address group, use
the gcloud network-security address-groups list-references command:
gcloud network-security address-groups list-references NAME \
--location LOCATION
Add items to an address group
You can add multiple items such as IP addresses or IP ranges to an address group. If the request contains items that are already part of the address groups, those items are ignored. If the request contains invalid items, the entire request fails.
Console
To add an item to an address group by using Google Cloud console, follow the procedure mentioned in Update an address group.
gcloud
To add items to an address group, use the
gcloud network-security address-groups add-items command:
gcloud network-security address-groups add-items NAME \
--items ITEMS \
--location LOCATION
Replace the following:
NAME: the name of the address group; you can specify the name as a string or as a unique URL identifierITEMS: a comma-separated list of IP addresses or IP ranges in CIDR formatLOCATION: the location of the address groupThis can be set to
globalor a region code (such aseurope-west). If you use a unique URL identifier for thenameparameter, you can omit thelocationparameter.
Remove item from an address group
You can remove existing items from an address group. If any of the items in the request are invalid, the request fails. If the request contains items that are not part of the address group, those items are ignored.
Console
To remove an item from an address group by using Google Cloud console, follow the procedure mentioned in Update an address group.
gcloud
To remove items from an address group, use the
gcloud network-security address-groups remove-items command:
gcloud network-security address-groups remove-items NAME \
--items ITEMS \
--location LOCATION
Clone items from another address group
You can clone items from one address group to another.
Console
In the Google Cloud console, go to the Address groups page.
In the project selector menu, select your project.
The address groups are listed in the Address groups section.
Click the name of your address group that you want to clone.
Click Clone.
In the Clone address group pane, for Name, enter a name.
Optional: In the Description field, enter a description.
For Scope, select Global or Regional.
If you choose Regional, specify the region where the address group is created.
For Type, select IPv4 or IPv6.
For Purpose, select Firewall.
In the Capacity field, enter the capacity of the address group.
In the IP Addresses field, update the IP addresses or IP ranges that are cloned from the address group.
Click Clone.
gcloud
To clone an address group by using Google Cloud CLI, follow these guidelines:
- Both address groups must be of the same type.
- Both address groups must be in the same region.
- Make sure that the new address group has sufficient capacity to fit the items of the source address group that are being cloned.
To specify the source address group, use the following unique URL identifier format:
projects/PROJECT_ID/locations/location/addressGroups/ADDRESS_GROUP_NAMEFor more information about unique URL identifiers for address groups, see Address group specifications.
To clone items from an address group, use the
gcloud network-security address-groups clone-items command:
gcloud network-security address-groups clone-items NAME \
--source SOURCE_NAMED_LIST \
--location LOCATION
Replace the following:
NAME: the name of the address group; you can specify the name as a string or as a unique URL identifierSOURCE_NAMED_LIST: a unique URL identifier of the source address group from where the items are clonedLOCATION: the location of the destination address groupThis can be set to
globalor a region code (such aseurope-west). If you use a unique URL identifier for thenameparameter, you can omit thelocationparameter.
Organization-scoped address groups
This section provides detailed information about how to manage organization-scoped address groups.
Organization-scoped address groups are defined at the organization level and apply to all the resources in the organization as specified in the resource hierarchy. To use an address group, you must associate it to a firewall rule in a hierarchical firewall policy, a global network firewall policy, or a regional network firewall policy.
Create an address group
The container type
of the organization-scoped address group is always set to organization.
When you create an address group, you can specify the name of the address group as a string or as a unique URL identifier. The unique URL for an organization-scoped address group can be constructed in the following format:
organization/ORGANIZATION_ID/locations/LOCATION/addressGroups/ADDRESS_GROUP_NAME
If you use a unique URL identifier for the address group name, the organization ID or location for the address group is already included in the URL identifier. However, if you use only the address group name, you must specify the ID of the organization and the location where you are defining the address group. For more information about unique URL identifiers, see Address group specifications.
An address group can have IPv4 or IPv6 item types, but not both. You must also specify the maximum item capacity for an address group. After the address group is created, you cannot change the name, item type, or item capacity of the address group.
Console
In the Google Cloud console, go to the Address groups page.
In the project selector menu, select your organization.
Click Create Address Group.
In the Name field, enter a name.
Optional: In the Description field, enter a description.
For Scope, select Global or Regional.
If you choose Regional, specify the region where the address group is created.
For Type, select IPv4 or IPv6.
For Purpose, select Firewall.
In the Capacity field, enter the capacity of the address group.
In the IP Addresses field, list the IP addresses or IP ranges that you want to include in the address group. For example,
1.1.1.0/24,1.2.0.0.Click Create.
gcloud
To create an organization-scoped address group, use the
gcloud network-security org-address-groups create command:
gcloud network-security org-address-groups create NAME \ --organization ORGANIZATION \ --type TYPE \ --capacity CAPACITY \ --location LOCATION \ --description DESCRIPTION
Replace the following:
NAME: the name of the address group; you can specify the name as a string or as a unique URL identifierORGANIZATION: the organization ID where the address group is createdIf you use a unique URL identifier for the
nameparameter, you can omit theorganizationparameter.TYPE: the type of address group—IPv4 or IPv6CAPACITY: the capacity of the address groupLOCATION: the location of the address groupThis can be set to
globalor a region code (such aseurope-west). If you use a unique URL identifier for thenameparameter, you can omit thelocationparameter.DESCRIPTION: an optional description for the address group
Describe an address group
You can view the details of a specific address group.
Console
In the Google Cloud console, go to the Address groups page.
In the project selector menu, select your organization.
The address groups are listed in the Address groups section.
To view the details, click the name of you address group.
gcloud
To describe an organization-scoped address group, use the
gcloud network-security org-address-groups describe command:
gcloud network-security org-address-groups describe NAME \
--organization ORGANIZATION \
--location LOCATION
Update an address group
You cannot update the name, type, or capacity of the address group. You can only update the address group description and IP addresses.
Console
In the Google Cloud console, go to the Address groups page.
In the project selector menu, select your organization.
The address groups are listed in the Address groups section.
To edit an address group, click the name of your address group.
Click Edit.
Modify the required fields.
Click Save.
gcloud
To update an organization-scoped address group, use the
gcloud network-security org-address-groups update command:
gcloud network-security org-address-groups update NAME \
--organization ORGANIZATION \
--description DESCRIPTION \
--location LOCATION
List address groups
You can list all the address groups in a location.
Console
In the Google Cloud console, go to the Address groups page.
In the project selector menu, select your organization.
The address groups are listed in the Address groups section.
gcloud
To list the address groups in an organization, use the
gcloud network-security org-address-groups list command:
gcloud network-security org-address-groups list \
--organization ORGANIZATION \
--location LOCATION
Delete an address group
You can delete an address group by specifying its name, organization, and location. If the address group is referenced by a firewall policy, that address group cannot be deleted.
Console
In the Google Cloud console, go to the Address groups page.
In the project selector menu, select your organization.
The address groups are listed in the Address groups section.
Select the checkbox next to the address group that you want to delete. Make sure that the selected address group is not referenced by any firewall policy.
Click Delete, and then click Delete again to confirm.
gcloud
To delete an organization-scoped address group, use the
gcloud network-security org-address-groups delete command:
gcloud network-security org-address-groups delete NAME \ --organization ORGANIZATION \ --location LOCATION
Find address group references
An address group is used by the firewall policies. You can find the list of all the firewall policies that use a specific address group.
Console
In the Google Cloud console, go to the Address groups page.
In the project selector menu, select your organization.
The address groups are listed in the Address groups section.
Click the name of your address group.
In the In use by field, the firewall policies that use this address group are listed in the following format:
POLICY_NAME(rule priority:PRIORITY_NUMBER)
gcloud
To list all the resources that reference an organization-scoped address group,
use the gcloud network-security org-address-groups list-references command:
gcloud network-security org-address-groups list-references NAME \
--organization ORGANIZATION \
--location LOCATION
Add items to an address group
You can add multiple items such as IP addresses or IP ranges to an address group. If the request contains items that are already part of the address group, such items are ignored. If the request contains invalid items, the entire request fails.
Console
To add an item to an organization-scoped address group by using Google Cloud console, follow the procedure mentioned in Update an address group.
gcloud
To add items to an organization-scoped address group, use the
gcloud network-security org-address-groups add-items command:
gcloud network-security org-address-groups add-items NAME \
--organization ORGANIZATION \
--items ITEMS \
--location LOCATION
Replace the following:
NAME: the name of the address group; you can specify the name as a string or as a unique URL identifierORGANIZATION: the organization ID where the address group is createdIf you use a unique URL identifier for the
nameparameter, you can omit theorganizationparameter.ITEMS: a comma-separated list of IP addresses or IP ranges in CIDR formatLOCATION: the location of the address groupThis can be set to
globalor a region code (such aseurope-west). If you use a unique URL identifier for thenameparameter, you can omit thelocationparameter.
Remove item from an address group
You can remove existing items from an address group. If any of the items in the request are invalid, the request fails. If the request contains items that are not part of the address group, those items are ignored.
Console
To remove an item from an organization-scoped address group by using Google Cloud console, follow the procedure mentioned in Update an address group.
gcloud
To remove an item from an organization-scoped address group, use the
gcloud network-security org-address-groups remove-items command:
gcloud network-security org-address-groups remove-items NAME \
--organization ORGANIZATION \
--items ITEMS \
--location LOCATION
Clone items from another address group
You can clone items from one address group to another.
Console
In the Google Cloud console, go to the Address groups page.
In the project selector menu, select your organization.
The address groups are listed in the Address groups section.
Click the name of your address group that you want to clone.
Click Clone.
In the Clone address group pane, for Name, enter a name.
Optional: In the Description field, enter a description.
For Scope, select Global or Regional.
If you choose Regional, specify the region where the address group is created.
For Type, select IPv4 or IPv6.
For Purpose, select Firewall.
In the Capacity field, enter the capacity of the address group.
In the IP Addresses field, update the IP addresses or IP ranges that are cloned from the address group.
Click Clone.
gcloud
To clone an address group by using gcloud CLI, follow these guidelines:
- Both address groups must be of the same type.
- Both address groups must be in the same location.
- Make sure that the new address group has sufficient capacity to fit the items of the source address group that are being cloned.
To specify the source address group, you must use the following unique URL identifier:
organization/ORGANIZATION_ID/locations/LOCATION/addressGroups/ADDRESS_GROUP_NAME
For more information about unique URL identifiers for address groups, see Address group specifications.
To clone items from an organization-scoped address group, use the
gcloud network-security org-address-groups clone-items command:
gcloud network-security org-address-groups clone-items NAME \
--organization ORGANIZATION \
--source SOURCE_NAMED_LIST \
--location LOCATION
Replace the following:
NAME: the name of the address group; you can specify the name as a string or as a unique URL identifierORGANIZATION: the organization ID where the address group is createdIf you use a unique URL identifier for the
nameparameter, you can omit theorganizationparameter.SOURCE_NAMED_LIST: a unique URL identifier of the source address group from where the items are clonedLOCATION: the location of the destination address groupThis can be set to
globalor a region code (such aseurope-west). If you use a unique URL identifier for thenameparameter, you can omit thelocationparameter.
What's next
- Use hierarchical firewall policies
- Use global network firewall policies
- Use regional network firewall policies