This page shows examples of hierarchical firewall policy implementations. It assumes that you are familiar with the concepts described in Hierarchical firewall policies.
Example 1: Allow prober to access all VMs
In this use case, all the virtual machine (VM) instances in an organization must
be scanned and inventoried by using probes from a particular IP address
(10.100.0.1
) to a specific destination port (123
). The organization security
administrator ensures that no network administrator or other security
administrator can block that port on any VM instance in the organization.
This example assumes that there are no folder-level firewall policies deployed.
The configuration setup for this use case is described in the following diagram.
Effective policy applied in VMs
In this example, the effective VM firewall policy after evaluation of the rules across the hierarchy is as follows.
Ingress connections
Ingress connections with source IP
10.100.0.1
and destination port123
are allowed, as defined in the policy. Upon a match in the organization policy, the probe connections are allowed and no further rules are evaluated in the hierarchy.For any ingress connections other than from source IP
10.100.0.1
and destination port123
, there is no match; therefore, the default ingress rule in VPC firewall rules applies, denying the connection.
Egress connection
- There is no match across the hierarchy-defined rules. Therefore, the default egress rule in VPC firewall rules applies, allowing egress connections.
How to configure
Create a firewall policy to contain the rule:
gcloud compute firewall-policies create \ --organization=123456789012 \ --short-name="example-firewall-policy" \ --description="rules that apply to all VMs in the organization"
Add the rule to the firewall policy:
gcloud compute firewall-policies rules create 1000 \ --action=allow \ --description="allow-scan-probe" \ --layer4-configs=tcp:123 \ --firewall-policy=example-firewall-policy \ --organization=123456789012 \ --src-ip-ranges=10.100.0.1/32
Associate the firewall policy with the organization:
gcloud compute firewall-policies associations create \ --firewall-policy=example-firewall-policy \ --organization=123456789012
Example 2: Deny all external connections except to certain ports
In this use case, a firewall policy blocks all connections from external
internet sources except for connections on destination ports 80
, 443
, and
22
. An ingress internet connection on any port that is not 80
, 443
, and
22
is blocked no matter what the firewall rules are at the VPC
network level. For any connections on port 80
, 443
, or 22
, the policy
delegates to the VPC security administrator the behavior they
want to enforce in their respective VPC network for those ports.
The configuration setup for this use case is described in the following diagram.
Effective policy applied in VMs
In this example, the effective VM firewall policy after evaluation of the rules across the hierarchy is as follows.
Ingress connections
Any ingress connections from
10.0.0.0/8
match the highest priority organization-level ruledelegate-internal-traffic
and bypass the rest of the rules in the organization policy to be evaluated against the firewall rules configured at the VPC network level. In the VPC firewall rule, connections from10.2.0.0/16
are allowed, and the rest of the connections are evaluated against the implied ingress rule, which isdeny
.Ingress connections with a source IP range that is not
10.0.0.0/8
for destination ports22
,80
, and443
are delegated to the next level, where ports80
and443
are allowed, but22
is not.All other connections are blocked.
Egress connections
- There is no match across the hierarchy-defined rules. Therefore, the default egress rule in VPC firewall rules applies, allowing egress connections.
How to configure
Create a firewall policy to contain the rule:
gcloud compute firewall-policies create \ --organization=123456789012 \ --short-name="example-firewall-policy" \ --description="rules that apply to all VMs in the organization"
Add a rule to delegate internal connections to the project owner:
gcloud compute firewall-policies rules create 1000 \ --action=goto_next \ --description="delegate-internal-traffic" \ --organization=123456789012 \ --firewall-policy="example-firewall-policy" \ --src-ip-ranges=10.0.0.0/8
Add a rule to delegate external connections rules to ports
80
/443
/22
to the project owner:gcloud compute firewall-policies rules create 2000 \ --action=goto_next \ --description="delegate-external-traffic-spec-ports" \ --src-ip-ranges=0.0.0.0/0 \ --layer4-configs=tcp:80,tcp:443,tcp:22 \ --organization=123456789012 \ --firewall-policy="example-firewall-policy"
Add a rule to deny all other external connections:
gcloud compute firewall-policies rules create 3000 \ --action=deny \ --description="block-other-external-traffic-spec-ports" \ --organization=123456789012 \ --firewall-policy="example-firewall-policy" \ --src-ip-ranges=0.0.0.0/0
Associate the firewall policy with the organization:
gcloud compute firewall-policies associations create \ --organization=123456789012 \ --firewall-policy="example-firewall-policy"
In the project, add a firewall rule to allow internal connections from the designated subnet:
gcloud compute firewall-rules create allow-internal-traffic \ --action=allow \ --priority=1000 \ --source-ranges=10.2.0.0/16
In the project, add a firewall rule to allow external TCP
80
/443
connections:gcloud compute firewall-rules create allow-external-traffic \ --action=allow \ --priority=2000 \ --rules=tcp:80,tcp:443
Example 3: Deny egress connections except from a specific VPC network
In this use case, the organization security administrator doesn't allow egress
connections in any VPC network, except for connections
originating in the VPC network myvpc
. The administrator
delegates the decision to open egress to public server 203.0.113.1
to the
myvpc
security administrator.
This example assumes that there are no folder-level firewall policies deployed. The configuration setup for this use case is described in the following diagram.
Effective policy applied in VMs
In this example, the effective VM firewall policy after evaluation of the rules across the hierarchy is as follows.
Ingress connections
- There is no match across the hierarchy-defined rules. Therefore, the default ingress rule in VPC firewall rules applies, denying ingress connections.
Egress connections
All the egress connections destined to
203.0.113.1
are allowed; the rest of the connections are denied. All the egress connections destined to203.0.113.1
match thedelegate-egress-my-vpc
rule and bypass the rest of the rules in the organization policy.The egress connections are then evaluated against the firewall rules configured in
myvpc
. The default rule allows the egress connections. Theblock-egress-traffic-sepc-ports
rule in the organization-level policy denies the rest of the connections.
How to configure
Create a firewall policy to contain the rule:
gcloud compute firewall-policies create \ --organization=123456789012 \ --short-name="example-firewall-policy" \ --description="rules that apply to all VMs in the organization"
Add a rule to delegate certain egress connections:
gcloud compute firewall-policies rules create 1000 \ --action=goto_next \ --description="delegate-egress-myvpc" \ --dest-ip-ranges=203.0.113.1/32 --direction=egress --organization=123456789012 \ --short-name="example-firewall-policy" \ --target-resources=projects/PROJECT_ID/networks/myvpc
Add a rule to deny all other egress connections:
gcloud compute firewall-policies rules create 2000 \ --action=deny \ --description="block-egress-external-traffic-spec-ports" \ --direction=egress \ --dest-ip-ranges=0.0.0.0/0 \ --organization=123456789012 \ --short-name="example-firewall-policy"
Associate the firewall policy with the organization:
gcloud compute firewall-policies associations create \ --organization=123456789012 \ --short-name="example-firewall-policy"
Example 4: Configure organization-wide and folder-specific rules
In this use case, a security administrator doesn't allow ingress connections to
any VMs in the organization except those from the range that is added to an
allowlist: 203.0.113.0/24
. The administrator delegates further decisions
about what to do with connections from 203.0.113.0/24
to
security administrators at the folder levels.
There are two different folders:
- Folder1, in which the policy allows connections to only ports
80
and443
on the backend VMs, and the rest of the ports are blocked. - Folder2, in which the policy enforces that no VM in Folder2 can
block any destination port for traffic from IP address
203.0.113.1
. The Folder2 security administrator delegates other decisions to the VPC security administrator, who decides to open ports80
,443
, and22
and deny the rest of the ports.
The configuration setup for this use case is described in the following diagram.
Effective policy applied in VMs
In this example, the effective VM firewall policy after evaluation of the rules across the hierarchy is as follows.
For VMs belonging to my-vpc
All ingress connections from
203.0.113.0/24
with destination ports TCP80
and443
are allowed. Any other ingress connections are denied.All egress connections are accepted as per the VPC firewall rule applied due to there being no match in higher-level firewall policy rules.
For VMs belonging to vpc2
All ingress connections from
203.0.113.1
are allowed. Ingress connections from other203.0.113.0/24
sources other than203.0.113.1
are allowed only to ports80
,443
, and22
. All other ingress connections are denied.All egress connections are accepted as per the VPC firewall rule applied due to there being no match in higher-level firewall policy rules.
How to configure
Create a firewall policy to contain the rules for Org_A:
gcloud compute firewall-policies create \ --organization=100000000000 \ --short-name="example-firewall-policy-org-a" \ --description="rules that apply to all VMs in the organization"
Add a rule to delegate ingress from
203.0.113.0/24
to the project owner:gcloud compute firewall-policies rules create 1000 \ --action=goto_next \ --description="delegate-ingress" \ --organization=100000000000 \ --short-name="example-firewall-policy-org-a" \ --src-ip-ranges=203.0.113.0/24
Add a rule to deny all other external connections:
gcloud compute firewall-policies rules create 2000 \ --action=deny --description="block-ingress-external-traffic" --organization=100000000000 \ --short-name="example-firewall-policy-org-a" \ --src-ip-ranges=0.0.0.0/0
Associate the firewall policy with the organization:
gcloud compute firewall-policies associations create \ --organization=100000000000 \ --short-name="example-firewall-policy-org-a"
Create a firewall policy to contain the rules for Folder1:
gcloud compute firewall-policies create \ --organization=100000000000 \ --short-name="example-firewall-policy-folder1" \ --description="rules that apply to all VMs under Folder1"
Add a rule to allow all HTTP(S) ingress:
gcloud compute firewall-policies rules create 1000 \ --action=allow \ --description="allow-http-s-ingress" \ --layer4-configs=tcp:80,tcp:443 \ --organization=100000000000 \ --short-name="example-firewall-policy-folder1"
Add a rule to deny ingress on all other ports or protocols:
gcloud compute firewall-policies rules create 2000 \ --action=deny \ --description="block-ingress-external-traffic" \ --organization=100000000000 \ --short-name="example-firewall-policy-folder1" \ --src-ip-ranges=0.0.0.0/0
Associate the firewall policy with Folder1:
gcloud compute firewall-policies associations create \ --organization=100000000000 \ --short-name="example-firewall-policy-folder1" \ --folder=200000000000
Create a firewall policy to contain the rules for Folder2:
gcloud compute firewall-policies create \ --organization=100000000000 \ --short-name="example-firewall-policy-folder2" \ --description="rules that apply to all VMs under Folder2"
Add a rule to allow ingress from
203.0.113.1
:gcloud compute firewall-policies rules create 1000 \ --action=allow \ --description="allow-vul-scan-ingress" \ --organization=100000000000 \ --short-name="example-firewall-policy-folder2" \ --src-ip-ranges=203.0.113.1/32
Associate the firewall policy with Folder2:
gcloud compute firewall-policies associations create \ --organization=100000000000 \ --short-name="example-firewall-policy-folder2" \ --folder=300000000000
Add a firewall rule to allow HTTP(S) connection ingress:
gcloud compute firewall-rules create allow-internal-traffic \ --action=allow \ --rules=tcp:80,tcp:443,tcp:22
What's next
- To create and modify hierarchical firewall policies and rules, see Use hierarchical firewall policies.