Virtual Private Cloud (VPC) firewall rules are free of charge.

Cloud Next Generation Firewall Essentials and Cloud Next Generation Firewall Standard data processing is billed in the following way:

• When customers use only Cloud NGFW Essentials rules in their firewall policies, they do not incur any data processing charges to or from VM instances.
• When customers use Cloud NGFW Standard rules in their firewall policies, traffic flows that are evaluated by those rules incur data processing charges:
• Applies to any traffic evaluated from the internet to target VMs.
• Applies to any traffic evaluated from target VMs to the internet.
• Applies to both ingress and egress traffic flows.
• Does not apply to traffic intercepted by proxy-based load balancers.
• Firewall policies for traffic flows within Google Cloud only do not incur data processing charges.
• $0.018/GB is metered in GiB in the backend (equivalent to $0.0193/GiB).
• Data processing charges will be billed to the project where firewall evaluation occurs. In case of a shared VPC, the data process charge will be billed to the host project instead of the service project.

• If a flow incurs both NGFW Standard and NGFW Enterprise data processing charges, the NGFW Standard data processing charge will be waived.
• Cloud NGFW Enterprise billing includes two parts:
• Firewall Endpoint deployment charge, billed to the billing project specified by the customer when an endpoint is created.
• Data Processing charge, billed to the parent project where firewall evaluation occurs. In case of a shared VPC, the data process charge will be billed to the host project instead of the service project. Data Processing charge will incur for all flows sent for IPS inspection, including packets in both directions.

The user created a firewall endpoint in each of the zones in us-east1 (us-east1-b, us-east1-c, us-east1-d) with the same billing project: FW-Billing-Project, and associated the endpoint with VPC-1 under App-Project.

The user then configured firewall rules for VPC-1 to apply IPS inspection for its Internet ingress traffic and ran it for the whole month - 30 days, with 2TB inspected in total.

In this case, the total cost incurred in this month is:

• Endpoint Deployment Charge: $1.75 * 24 * 30 * 3 = $3780, billed to FW-Billing-Project
• Data Processing Charge: $0.018 * 2000 = $36, billed to App-Project

Each hierarchical firewall policy is priced based on the total number of attributes in all the firewall rules that it contains and on the number of VMs that it covers.

A rule attribute is an IP address range, port, protocol, or service account. For more information about attributes, see Hierarchical firewall rule attributes in a hierarchical firewall policy on the Quotas page.

A policy with 200 attributes that covers 200 VMs costs $200/month: 1 * 200 = 200.

A policy with 600 attributes that covers 200 VMs costs $300/month: 1.50 * 200 = 300.

A policy that has no VMs is free.

Firewall Insights pricing is described in Network Intelligence Center pricing.

Firewall Rules Logging pricing is described in Network Telemetry pricing.