Hierarchical firewall policy examples

This page shows examples of hierarchical firewall policy implementations. It assumes that you are familiar with the concepts described in the Hierarchical firewall policies overview.

Example 1: Allow prober to access all VMs

In this use case, all the virtual machine (VM) instances in an organization must be scanned and inventoried by using probes from a particular IP address (10.100.0.1) on a specific port (123). The organization security admin ensures that no network admins or other security admins can block that port in any VM instance in the organization.

This example assumes that there are no folder-level security policies deployed.

The configuration setup for this use case is described in the following diagram.

Allow prober to access all VMs
Allow prober to access all VMs

Effective policy applied in VMs

In this example, the effective VM firewall policy after evaluation of the rules across the hierarchy is as follows.

Ingress connections

  • Ingress connections with source IP 10.100.0.1 and destination port 123 are allowed, as defined in the policy. Upon a match in the organization policy, the probe connections are allowed and no further rules are evaluated in the hierarchy.

  • For any ingress connections other than from source IP 10.100.0.1 and destination port 123, there is no match; therefore, the default ingress rule in VPC firewall rules applies, denying the connection.

Egress connection

  • There is no match across the hierarchy-defined rules. Therefore, the default egress rule in VPC firewall rules applies, allowing egress connections.

How to configure

  1. Create a security policy to contain the rule:

    gcloud beta compute org-security-policies create \
     --organization 123456789012 \
     --display-name "example-security-policy" \
     --description "rules that apply to all VMs in the organization"

  2. Add the rule to the security policy:

    gcloud beta compute org-security-policies rules create 1000 \
    --action allow \
    --description "allow-scan-probe" \
    --dest-ports tcp:123 \
    --security-policy example-security-policy \
    --organization 123456789012 \
    --src-ip-ranges 10.100.0.1/32

  3. Associate the security policy with the organization node:

    gcloud beta compute org-security-policies associations create \
    --security-policy example-security-policy \
    --organization 123456789012

Example 2: Deny all external connections except certain ports

In this use case, a firewall policy blocks all connections from external internet sources except for connections on ports 80, 443, and 22. An ingress internet connection on any port that is not 80, 443, and 22 is blocked no matter what the firewall rules are at the VPC network level. For any connections on port 80, 443, or 22, the policy delegates to the VPC security admin the behavior they want to enforce in their respective VPC network for those ports.

The configuration setup for this use case is described in the following diagram.

Deny all external connections except certain ports
Deny all external connections except certain ports

Effective policy applied in VMs

In this example, the effective VM firewall policy after evaluation of the rules across the hierarchy is as follows.

Ingress connections

  • Any ingress connections that match source IP 10.0.0.0/8 hit the highest priority organization-level rule delegate-internal-traffic and bypass the rest of the rules in the organization policy to be evaluated against the firewall rules configured at the VPC network level. In the VPC firewall rule, connections from 10.2.0.0/16 are allowed, and the rest of the connections are evaluated against the implied ingress rule, which is deny.

  • Ingress connections with a source IP range that is not 10.0.0.0/8 for ports 22, 80, and 443 are delegated to the next level, where ports 80 and 443 are allowed, but 22 is not.

  • All other connections are blocked.

Egress connections

  • There is no match across the hierarchy-defined rules. Therefore, the default egress rule in VPC firewall rules applies, allowing egress connections.

How to configure

  1. Create a security policy to contain the rule:

    gcloud beta compute org-security-policies create \
    --organization 123456789012 \
    --display-name "example-security-policy" \
    --description "rules that apply to all VMs in the organization"

  2. Add a rule to delegate internal connections to the project owner:

    gcloud beta compute org-security-policies rules create 1000 \
    --action goto_next \
    --description "delegate-internal-traffic" \
    --organization 123456789012 \
    --security-policy "example-security-policy" \
    --src-ip-ranges 10.0.0.0/8

  3. Add a rule to delegate external port 80/443/22 connections rules to the project owner:

    gcloud beta compute org-security-policies rules create 2000 \
    --action goto_next \
    --description "delegate-external-traffic-spec-ports" \
    --dest-ports tcp:80,tcp:443,tcp:22 \
    --organization 123456789012 \
    --security-policy "example-security-policy"

  4. Add a rule to deny all other external connections:

    gcloud beta compute org-security-policies rules create 3000 \
    --action deny \
    --description "block-other-external-traffic-spec-ports" \
    --organization 123456789012 \
    --security-policy "example-security-policy" \
    --src-ip-ranges 0.0.0.0/0

  5. Associate the security policy with the organization node:

    gcloud beta compute org-security-policies associations create \
    --organization 123456789012 \
    --security-policy "example-security-policy"

  6. In the project, add a firewall rule to allow internal connections from the designated subnet:

    gcloud beta compute firewall-rules create allow-internal-traffic \
    --action allow \
    --priority 1000 \
    --source-ranges 10.2.0.0/16

  7. In the project, add a firewall rule to allow external TCP 80/443 connections:

    gcloud beta compute firewall-rules create allow-external-traffic \
    --action allow \
    --priority 1000 \
    --rules tcp:80,tcp:443

Example 3: Deny egress connections except from a specific VPC network

In this use case, the organization security admin does not allow egress connections in any VPC network, except for connections originating in the VPC network myvpc. The admin delegates the decision to open egress to public server 203.0.113.1 to the myvpc security admin.

This example assumes that there are no folder-level security policies deployed. The configuration setup for this use case is described in the following diagram.

Deny egress connections except from a specific network
Deny egress connections except from a specific network

Effective policy applied in VMs

In this example, the effective VM firewall policy after evaluation of the rules across the hierarchy is as follows.

Ingress connections

  • There is no match across the hierarchy-defined rules. Therefore, the default ingress rule in VPC firewall rules applies, denying egress connections.

Egress connections

  • All the egress connections destined to 203.0.113.1 are allowed; the rest of the connections are denied. All the egress connections destined to 203.0.113.1 hit delegate-egress-my-vpc and bypass the rest of the rules in the organization policy.

  • The egress connections are then evaluated against the firewall rules configured in myvpc. The default rule allows the egress connections. The block-egress-traffic-sepc-ports rule in the organization-level policy denies the rest of the connections.

How to configure

  1. Create a security policy to contain the rule:

    gcloud beta compute org-security-policies create \
    --organization 123456789012 \
    --display-name "example-security-policy" \
    --description "rules that apply to all VMs in the organization"

  2. Add a rule to delegate certain egress connections:

    gcloud beta compute org-security-policies rules create 1000 \
    --action goto_next \
    --description "delegate-egress-myvpc" \
    --dest-ip-ranges 203.0.113.1/32
    --direction egress
    --organization 123456789012 \
    --display-name "example-security-policy" \
    --target-resources projects/project-id/networks/myvpc

  3. Add a rule to deny all other egress connections:

    gcloud beta compute org-security-policies rules create 2000 \
    --action deny \
    --description "block-egress-external-traffic-spec-ports" \
    --direction egress \
    --dest-ip-ranges 0.0.0.0/0 \
    --organization 123456789012 \
    --display-name "example-security-policy"

  4. Associate the security policy with the organization node:

    gcloud beta compute org-security-policies associations create \
    --organization 123456789012 \
    --display-name "example-security-policy"

Example 4: Configure organization-wide and folder-specific rules

In this use case, a security admin does not allow ingress connections to any VMs in the organization except those from the allowlisted range 203.0.113.0/24. The admin delegates further decisions about what to do with connections from 203.0.113.0/24 to security admins at the folder levels.

There are two different folders:

  • Folder1, in which the policy allows only ports 80 and 443 on the backend VMs, and the rest of the ports are blocked.
  • Folder2, in which the policy enforces that no VM in Folder2 can block any port from IP 203.0.113.1. The Folder2 security admin delegates other decisions to the VPC network admin, who decides to open ports 80, 443, and 22 and deny the rest of the ports.

The configuration setup for this use case is described in the following diagram.

Organization-wide and folder-specific rules
Organization-wide and folder-specific rules

Effective policy applied in VMs

In this example, the effective VM firewall policy after evaluation of the rules across the hierarchy is as follows.

For VMs belonging to my-vpc

  • All ingress connections from 203.0.113.0/24 with TCP ports 80 and 443 are allowed. Any other ingress connections are denied.

  • All egress connections are accepted as per the VPC firewall rule applied due to there being no match in higher-level security policy rules.

For VMs belonging to vpc2

  • All ingress connections from 203.0.113.1 are allowed. Ingress connections from other 203.0.113.0/24 sources other than 203.0.113.1 are allowed only for ports 80, 443, and 22. All other ingress connections are denied.

  • All egress connections are accepted as per the VPC firewall rule applied due to there being no match in higher-level security policy rules.

How to configure

  1. Create a security policy to contain the rules for Org_A:

    gcloud beta compute org-security-policies create \
    --organization 100000000000 \
    --display-name "example-security-policy-org-a" \
    --description "rules that apply to all VMs in the organization"

  2. Add a rule to delegate ingress from 203.0.113.0/24 to the project owner:

    gcloud beta compute org-security-policies rules create 1000 \
    --action goto_next \
    --description "delegate-ingress" \
    --organization 100000000000 \
    --display-name "example-security-policy-org-a" \
    --src-ip-ranges 203.0.113.0/24

  3. Add a rule to deny all other external connections:

    gcloud beta compute org-security-policies rules create 2000 \
    --action deny
    --description "block-ingress-external-traffic"
    --organization 100000000000 \
    --display-name "example-security-policy-org-a" \
    --src-ip-ranges 0.0.0.0/0

  4. Associate the security policy with the organization node:

    gcloud beta compute org-security-policies associations create \
    --organization 100000000000 \
    --display-name "example-security-policy-org-a"

  5. Create a security policy to contain the rules for Folder1:

    gcloud beta compute org-security-policies create \
    --organization 100000000000 \
    --display-name "example-security-policy-folder1" \
    --description "rules that apply to all VMs under Folder1"

  6. Add a rule to allow all HTTP(S) ingress:

    gcloud beta compute org-security-policies rules create 1000 \
    --action allow \
    --description "allow-http-s-ingress" \
    --dest-ports tcp:80,tcp:443 \
    --organization 100000000000 \
    --display-name "example-security-policy-folder1"

  7. Add a rule to deny ingress on all other ports/protocols:

    gcloud beta compute org-security-policies rules create 2000 \
    --action deny \
    --description "block-ingress-external-traffic" \
    --organization 100000000000 \
    --display-name "example-security-policy-folder1" \
    --src-ip-ranges 0.0.0.0/0

  8. Associate the security policy with Folder1:

    gcloud beta compute org-security-policies associations create \
    --organization 100000000000 \
    --display-name "example-security-policy-folder1" \
    --folder 200000000000

  9. Create a security policy to contain the rules for Folder2:

    gcloud beta compute org-security-policies create \
    --organization 100000000000 \
    --display-name "example-security-policy-folder2" \
    --description "rules that apply to all VMs under Folder2"

  10. Add a rule to allow ingress from 203.0.113.1:

    gcloud beta compute org-security-policies rules create 1000 \
    --action allow \
    --description "allow-vul-scan-ingress" \
    --organization 100000000000 \
    --display-name "example-security-policy-folder2" \
    --src-ip-ranges 203.0.113.1/32

  11. Associate the security policy with Folder2:

    gcloud beta compute org-security-policies associations create \
    --organization 100000000000 \
    --display-name "example-security-policy-folder2" \
    --folder 300000000000

  12. Add a firewall rule to allow HTTP(S) connection ingress:

    gcloud beta compute firewall-rules create allow-internal-traffic \
    --action allow \
    --rules tcp:80,tcp:443,tcp:22

What's next