Cloud Next Generation Firewall pricing

This page describes the pricing for Cloud Next Generation Firewall (Cloud NGFW).

Cloud NGFW tiers

Cloud NGFW is available in three tiers, each offering different levels of features and capabilities:

  • Cloud NGFW Essentials: The foundational firewall service, offered at no cost. This tier lets you create rules based on standard network attributes, including IP ranges, ports, and protocols.
  • Cloud NGFW Standard: Extends Essentials with features, such as fully qualified domain name (FQDN) objects and threat intelligence.
  • Cloud NGFW Enterprise: Provides advanced Layer 7 security capabilities, such as Intrusion Detection and Prevention Service (IDPS) and URL filtering.

You are billed based on the features that you use in your firewall policies.

Cloud NGFW Essentials tier

When you use Cloud NGFW Essentials rules in your firewall policies, you don’t incur any charges. We recommend you make use of the Essential tier features for traffic that does not require advanced inspection.

Cloud NGFW Standard tier

When a traffic flow is evaluated by a firewall policy rule containing Cloud NGFW Standard features, you are charged for data processing.

Data processing charges apply to the following north-south traffic flows:

  • Traffic from the internet to a target virtual machine (VM) instance (ingress).
  • Traffic from a target VM instance to the internet (egress).
  • Data processing is metered in Gigabytes (GiB).
  • Charges are billed to the project where the firewall policy evaluation occurs. For a Shared VPC network, charges are billed to the host project.

Data processing charges don't apply to traffic between resources within Google Cloud (east-west traffic) or to traffic intercepted by proxy-based load balancers.

The following table summarizes the pricing for the Cloud Standard tier.

Tier

Price (USD) per GB evaluated

Cloud NGFW Standard

$0.0193 / 1 gibibyte

Cloud NGFW Enterprise

When a traffic flow is evaluated by a firewall policy rule containing Cloud NGFW Enterprise features, you incur additional charges based on the following components:

  • An hourly charge for each deployed firewall endpoint.
  • A per-gigabyte charge for the traffic that is inspected.

Firewall endpoint charges

You are charged on an hourly basis for each firewall endpoint that is deployed in your organization. Because the firewall endpoint is an organization-level resource, the endpoint charge is billed to your billing project.

Data processing charges

You are charged for all traffic inspected by the Cloud NGFW Layer 7 security features, which includes traffic in both directions of a given flow.

  • Data processing charges are billed to the project that owns the firewall policy.
  • For a Shared VPC network, these charges are billed to the host project.

Note: If a traffic flow is evaluated by rules that use both Cloud NGFW Standard and Cloud NGFW Enterprise features, you are only charged for the Cloud NGFW Enterprise data processing. The Cloud NGFW Standard charge for that flow is waived.

The following table summarizes the pricing for the Cloud Enterprise tier.

Tier

Endpoint deployment

Data processing

Cloud NGFW Enterprise

$1.75 / 1 hour$0.0193 / 1 gibibyte

Hierarchical firewall policies

Pricing for hierarchical firewall policies is based on the total number of rule attributes within a policy and the number of virtual machine (VM) instances that the policy applies to. A rule attribute is a specific configuration within a rule, such as an IP address range, port, protocol, or service account.

In addition to any tier-specific data processing charges, hierarchical firewall policies incur its own charges. The price is calculated per VM, per month, based on the total attribute count across all rules in the policy.

Number of attributes in all rules in a policy

Price (USD)

500 or fewer (standard)

$0.001369863 / 1 hour

501 or more (large)

$0.002054795 / 1 hour

There is no charge for a policy that does not apply to any VMs.

VPC firewall rules

Virtual Private Cloud (VPC) firewall rules are free of charge.

Firewall Insights

Firewall Insights pricing is described in Network Intelligence Center pricing.

Firewall Rules Logging

Firewall Rules Logging pricing is described in Network Telemetry pricing.

Pricing scenarios

The following scenarios illustrate how Cloud NGFW pricing applies to common use cases.

Scenario 1: Upgrade your VPC firewalls

You are using VPC firewall rules and want to upgrade to a more modern policy structure without paying for additional features.

Solution: You can migrate your existing rules to the Cloud NGFW Essentials tier. This tier includes all the functionality of VPC firewall rules and adds more powerful features, like address groups, for free.

Cost: The migration tools and the use of the Essentials tier features are completely free.

Scenario 2: Secure your east-west and egress traffic with layered rules

You want to use free, tag-based rules for internal east-west traffic, block internet access for a specific group of VMs tagged as Internal-VM, and apply advanced rules to the remaining internet-bound egress traffic.

Solution: You can achieve this by creating a firewall policy where rules are processed in a specific order of priority:

  1. Rule no 1 (priority 1000, the highest priority): Create Cloud NGFW Essentials firewall rules to handle all east-west traffic. You should also tag non-Internet facing VMs with the Internal-VM tag.
  2. Rule no 2 (priority 2000): Create a tag-based Essentials rule that denies internet access for any VM with the Internal-VM tag.
  3. Rule no 3 (priority 3000): Create a rule that inspects all remaining internet bound egress traffic using Cloud NGFW Standard features.

Cost: You only pay to process the egress traffic that is evaluated by your final firewall rule (rule no 3). Because the free rules handle all your internal traffic and the blocked VMs, you limit your costs to only the Internet bound traffic that you explicitly send for inspection.

Scenario 3: Apply IDPS to specific east-west traffic

You want to apply advanced IDPS rules only to traffic going to and from a production database, while allowing all other internal east-west traffic to pass at no cost.

Solution: You can achieve this by creating a firewall policy that layers a specific, high-priority rule over your general traffic rules:

  1. Rule no 1 (priority 1000, the highest priority): Create a free Cloud NGFW Essentials rules to handle the bulk of your east-west traffic based on IP addresses and tags.
  2. Rule no 2 (priority 2000): You create a specific, higher-priority rule using Cloud NGFW Enterprise. This rule is configured to match only traffic with a Database target tag and a valid-DB-client source tag, setting its action to perform IDPS inspection.

Cost: You are only charged the Cloud NGFW Enterprise fee for the precise traffic flows that you send for IDPS inspection. This granular, tag-based approach ensures you can protect critical workloads without paying to inspect every packet on your internal network.

How billing works

Cloud NGFW bills you for the data processing of traffic that is evaluated by rules containing features from the Cloud NGFW Standard or Cloud NGFW Enterprise tiers. You incur charges when a rule is evaluated, regardless of whether the rule allows or denies the traffic. For example, if you enable a Standard geo-location rule, you are billed for all traffic evaluated by that rule, even if the traffic originates from a permitted country.

For the Standard tier, you are only charged for north-south traffic from the Internet to VM instances (ingress) and traffic from VM instances to the Internet (egress). For the Enterprise tier, you are charged for both north-south and east-west traffic (traffic between resources within Google Cloud).

Firewall policies evaluate traffic against rules according to rule priority. A charge is incurred as soon as a given traffic flow is evaluated by a rule with paid features. In a typical traffic flow, first, traffic is processed by rules that use Cloud NGFW Essentials features. To optimize costs, you can assign Essentials rules a higher priority than rules in the paid tiers. If traffic doesn't match an Essentials rule, it is then evaluated by rules that use features from the Cloud NGFW Standard or Cloud NGFW Enterprise tiers.

Cloud NGFW does not charge you twice for the same traffic flow. For example, if a traffic flow is evaluated by both Standard and Enterprise rules, you are charged only for Enterprise rule evaluation.

To help you understand how billing is calculated, the following sections walk you through common firewall policy scenarios.

Scenario 1: Using Essentials and Standard features

In this scenario, your policy uses both free and paid features from both the Cloud NGFW Essentials and Cloud NGFW Standard tiers. In the policy, the Essentials rules have a higher priority (a lower priority number) than the Standard rules.

Assume 100 GB of north-south traffic (traffic from and to the Internet) enters your network and is evaluated as follows:

  1. 50 GB of the traffic is evaluated against Cloud NGFW Essential rules. This processing is free.
  2. The remaining 50 GB of traffic proceeds to the next rule in the policy, which includes Cloud NGFW Standard features. This 50 GB traffic is billed at Cloud NGFW Standard rate.

Billing summary:

  • Standard-billed traffic: 50 GB
  • Total billed traffic: 50 GB

Scenario 2: Using Essentials and Enterprise features

In this scenario, your firewall policy rules use free features that trigger billable processing for IDPS inspection. In the policy, the Essentials rules have a higher priority (a lower priority number) than the Enterprise rules.

Assume 100 GB of north-south traffic enters your network and is evaluated as follows:

  1. 50 GB of the traffic is evaluated against Cloud NGFW Essential rules. This processing is free.
  2. The remaining 50 GB of traffic proceeds to the next rule in the policy. The rule, which includes Enterprise features, sends matching traffic for IDPS inspection. This 50 GB traffic is billed at Cloud NGFW Enterprise rate.

Billing summary:

  • Enterprise-billed traffic: 50 GB
  • Total billed traffic: 50 GB + charges for the endpoint deployment

Scenario 3: Combining Essentials, Standard, and Enterprise features

In this scenario, your firewall policy rules are configured with features from all three tiers. In the policy, the Essentials rules have the highest priority (a lower priority number), followed by a rule with a lower priority that combines features from Enterprise and Standard.

Assume 100 GB of north-south traffic enters your network and is evaluated as follows:

  1. 50 GB of the traffic is evaluated against Cloud NGFW Essential rules. This processing is free.
  2. The remaining 50 GB of traffic proceeds to the next lower-priority rule in the policy that combines features from Cloud NGFW Enterprise and Cloud NGFW Standard tiers.

When a single rule uses features from multiple tiers, the traffic is billed at the rate of the highest tier used. Hence, this 50 GB traffic is billed at Cloud NGFW Enterprise rate.

Billing summary:

  • Enterprise-billed traffic: 50 GB
  • Total billed traffic: 50 GB + charges for the endpoint deployment

Request a custom quote

With Google Cloud's pay-as-you-go pricing, you only pay for the services you use. Connect with our sales team to get a custom quote for your organization.
Google Cloud
send_spark
    DocsSupport
    Console
    Sign in
    • Accelerate your digital transformation
    • Whether your business is early in its journey or well on its way to digital transformation, Google Cloud can help solve your toughest challenges.
    • Google Cloud products
    • Browse over 100 products. New customers get $300 in free credits to run, test, and deploy workloads. All customers can use 25+ products for free, up to monthly usage limits.
    • Save money with our transparent approach to pricing
    • Google Cloud's pay-as-you-go pricing offers automatic savings based on monthly usage and discounted rates for prepaid resources. Contact us today to get a quote.
    Google Cloud