Hierarchical firewall policy examples

This page shows examples of hierarchical firewall policy implementations. It assumes that you are familiar with the concepts described in the Hierarchical firewall policies overview.

Example 1: Allow prober to access all VMs

In this use case, all the virtual machine (VM) instances in an organization must be scanned and inventoried by using probes from a particular IP address (10.100.0.1) to a specific destination port (123). The organization security admin ensures that no network admins or other security admins can block that port on any VM instance in the organization.

This example assumes that there are no folder-level firewall policies deployed.

The configuration setup for this use case is described in the following diagram.

Allow prober to access all VMs
Allow prober to access all VMs

Effective policy applied in VMs

In this example, the effective VM firewall policy after evaluation of the rules across the hierarchy is as follows.

Ingress connections

  • Ingress connections with source IP 10.100.0.1 and destination port 123 are allowed, as defined in the policy. Upon a match in the organization policy, the probe connections are allowed and no further rules are evaluated in the hierarchy.

  • For any ingress connections other than from source IP 10.100.0.1 and destination port 123, there is no match; therefore, the default ingress rule in VPC firewall rules applies, denying the connection.

Egress connection

  • There is no match across the hierarchy-defined rules. Therefore, the default egress rule in VPC firewall rules applies, allowing egress connections.

How to configure

  1. Create a firewall policy to contain the rule:

    gcloud compute firewall-policies create \
         --organization 123456789012 \
         --short-name "example-firewall-policy" \
         --description "rules that apply to all VMs in the organization"
    
  2. Add the rule to the firewall policy:

    gcloud compute firewall-policies rules create 1000 \
        --action allow \
        --description "allow-scan-probe" \
        --layer4-configs tcp:123 \
        --firewall-policy example-firewall-policy \
        --organization 123456789012 \
        --src-ip-ranges 10.100.0.1/32
  3. Associate the firewall policy with the organization node:

    gcloud compute firewall-policies associations create \
        --firewall-policy example-firewall-policy \
        --organization 123456789012

Example 2: Deny all external connections except to certain ports

In this use case, a firewall policy blocks all connections from external internet sources except for connections on destination ports 80, 443, and 22. An ingress internet connection on any port that is not 80, 443, and 22 is blocked no matter what the firewall rules are at the VPC network level. For any connections on port 80, 443, or 22, the policy delegates to the VPC security admin the behavior they want to enforce in their respective VPC network for those ports.

The configuration setup for this use case is described in the following diagram.

Deny all external connections except certain destination ports
Deny all external connections except certain destination ports

Effective policy applied in VMs

In this example, the effective VM firewall policy after evaluation of the rules across the hierarchy is as follows.

Ingress connections

  • Any ingress connections from 10.0.0.0/8 match the highest priority organization-level rule delegate-internal-traffic and bypass the rest of the rules in the organization policy to be evaluated against the firewall rules configured at the VPC network level. In the VPC firewall rule, connections from 10.2.0.0/16 are allowed, and the rest of the connections are evaluated against the implied ingress rule, which is deny.

  • Ingress connections with a source IP range that is not 10.0.0.0/8 for destination ports 22, 80, and 443 are delegated to the next level, where ports 80 and 443 are allowed, but 22 is not.

  • All other connections are blocked.

Egress connections

  • There is no match across the hierarchy-defined rules. Therefore, the default egress rule in VPC firewall rules applies, allowing egress connections.

How to configure

  1. Create a firewall policy to contain the rule:

    gcloud compute firewall-policies create \
        --organization 123456789012 \
        --short-name "example-firewall-policy" \
        --description "rules that apply to all VMs in the organization"
    
  2. Add a rule to delegate internal connections to the project owner:

    gcloud compute firewall-policies rules create 1000 \
        --action goto_next \
        --description "delegate-internal-traffic" \
        --organization 123456789012 \
        --firewall-policy "example-firewall-policy" \
        --src-ip-ranges 10.0.0.0/8
    
  3. Add a rule to delegate external connections rules to ports 80/443/22 to the project owner:

    gcloud compute firewall-policies rules create 2000 \
        --action goto_next \
        --description "delegate-external-traffic-spec-ports" \
        --layer4-configs tcp:80,tcp:443,tcp:22 \
        --organization 123456789012 \
        --firewall-policy "example-firewall-policy"
  4. Add a rule to deny all other external connections:

    gcloud compute firewall-policies rules create 3000 \
        --action deny \
        --description "block-other-external-traffic-spec-ports" \
        --organization 123456789012 \
        --firewall-policy "example-firewall-policy" \
        --src-ip-ranges 0.0.0.0/0
    
  5. Associate the firewall policy with the organization node:

    gcloud compute firewall-policies associations create \
        --organization 123456789012 \
        --firewall-policy "example-firewall-policy"
  6. In the project, add a firewall rule to allow internal connections from the designated subnet:

    gcloud compute firewall-rules create allow-internal-traffic \
        --action allow \
        --priority 1000 \
        --source-ranges 10.2.0.0/16
    
  7. In the project, add a firewall rule to allow external TCP 80/443 connections:

    gcloud compute firewall-rules create allow-external-traffic \
        --action allow \
        --priority 1000 \
        --rules tcp:80,tcp:443
    

Example 3: Deny egress connections except from a specific VPC network

In this use case, the organization security admin does not allow egress connections in any VPC network, except for connections originating in the VPC network myvpc. The admin delegates the decision to open egress to public server 203.0.113.1 to the myvpc security admin.

This example assumes that there are no folder-level firewall policies deployed. The configuration setup for this use case is described in the following diagram.

Deny egress connections except from a specific network
Deny egress connections except from a specific network

Effective policy applied in VMs

In this example, the effective VM firewall policy after evaluation of the rules across the hierarchy is as follows.

Ingress connections

  • There is no match across the hierarchy-defined rules. Therefore, the default ingress rule in VPC firewall rules applies, denying egress connections.

Egress connections

  • All the egress connections destined to 203.0.113.1 are allowed; the rest of the connections are denied. All the egress connections destined to 203.0.113.1 match the delegate-egress-my-vpc rule and bypass the rest of the rules in the organization policy.

  • The egress connections are then evaluated against the firewall rules configured in myvpc. The default rule allows the egress connections. The block-egress-traffic-sepc-ports rule in the organization-level policy denies the rest of the connections.

How to configure

  1. Create a firewall policy to contain the rule:

    gcloud compute firewall-policies create \
        --organization 123456789012 \
        --short-name "example-firewall-policy" \
        --description "rules that apply to all VMs in the organization"
    
  2. Add a rule to delegate certain egress connections:

    gcloud compute firewall-policies rules create 1000 \
        --action goto_next \
        --description "delegate-egress-myvpc" \
        --dest-ip-ranges 203.0.113.1/32
        --direction egress
        --organization 123456789012 \
        --short-name "example-firewall-policy" \
        --target-resources projects/PROJECT_ID/networks/myvpc
    
  3. Add a rule to deny all other egress connections:

    gcloud compute firewall-policies rules create 2000 \
        --action deny \
        --description "block-egress-external-traffic-spec-ports" \
        --direction egress \
        --dest-ip-ranges 0.0.0.0/0 \
        --organization 123456789012 \
        --short-name "example-firewall-policy"
  4. Associate the firewall policy with the organization node:

    gcloud compute firewall-policies associations create \
        --organization 123456789012 \
        --short-name "example-firewall-policy"

Example 4: Configure organization-wide and folder-specific rules

In this use case, a security admin does not allow ingress connections to any VMs in the organization except those from the allowlisted range 203.0.113.0/24. The admin delegates further decisions about what to do with connections from 203.0.113.0/24 to security admins at the folder levels.

There are two different folders:

  • Folder1, in which the policy allows connections to only ports 80 and 443 on the backend VMs, and the rest of the ports are blocked.
  • Folder2, in which the policy enforces that no VM in Folder2 can block any destination port for traffic from IP address 203.0.113.1. The Folder2 security admin delegates other decisions to the VPC security admin, who decides to open ports 80, 443, and 22 and deny the rest of the ports.

The configuration setup for this use case is described in the following diagram.

Organization-wide and folder-specific rules
Organization-wide and folder-specific rules

Effective policy applied in VMs

In this example, the effective VM firewall policy after evaluation of the rules across the hierarchy is as follows.

For VMs belonging to my-vpc

  • All ingress connections from 203.0.113.0/24 with destination ports TCP 80 and443 are allowed. Any other ingress connections are denied.

  • All egress connections are accepted as per the VPC firewall rule applied due to there being no match in higher-level firewall policy rules.

For VMs belonging to vpc2

  • All ingress connections from 203.0.113.1 are allowed. Ingress connections from other 203.0.113.0/24 sources other than 203.0.113.1 are allowed only to ports 80, 443, and 22. All other ingress connections are denied.

  • All egress connections are accepted as per the VPC firewall rule applied due to there being no match in higher-level firewall policy rules.

How to configure

  1. Create a firewall policy to contain the rules for Org_A:

    gcloud compute firewall-policies create \
        --organization 100000000000 \
        --short-name "example-firewall-policy-org-a" \
        --description "rules that apply to all VMs in the organization"
    
  2. Add a rule to delegate ingress from 203.0.113.0/24 to the project owner:

    gcloud compute firewall-policies rules create 1000 \
        --action goto_next \
        --description "delegate-ingress" \
        --organization 100000000000 \
        --short-name "example-firewall-policy-org-a" \
        --src-ip-ranges 203.0.113.0/24
    
  3. Add a rule to deny all other external connections:

    gcloud compute firewall-policies rules create 2000 \
        --action deny
        --description "block-ingress-external-traffic"
        --organization 100000000000 \
        --short-name "example-firewall-policy-org-a" \
        --src-ip-ranges 0.0.0.0/0
    
  4. Associate the firewall policy with the organization node:

    gcloud compute firewall-policies associations create \
        --organization 100000000000 \
        --short-name "example-firewall-policy-org-a"
  5. Create a firewall policy to contain the rules for Folder1:

    gcloud compute firewall-policies create \
        --organization 100000000000 \
        --short-name "example-firewall-policy-folder1" \
        --description "rules that apply to all VMs under Folder1"
    
  6. Add a rule to allow all HTTP(S) ingress:

    gcloud compute firewall-policies rules create 1000 \
        --action allow \
        --description "allow-http-s-ingress" \
        --layer4-configs tcp:80,tcp:443 \
        --organization 100000000000 \
        --short-name "example-firewall-policy-folder1"
  7. Add a rule to deny ingress on all other ports/protocols:

    gcloud compute firewall-policies rules create 2000 \
        --action deny \
        --description "block-ingress-external-traffic" \
        --organization 100000000000 \
        --short-name "example-firewall-policy-folder1" \
        --src-ip-ranges 0.0.0.0/0
  8. Associate the firewall policy with Folder1:

    gcloud compute firewall-policies associations create \
        --organization 100000000000 \
        --short-name "example-firewall-policy-folder1" \
        --folder 200000000000
  9. Create a firewall policy to contain the rules for Folder2:

    gcloud compute firewall-policies create \
        --organization 100000000000 \
        --short-name "example-firewall-policy-folder2" \
        --description "rules that apply to all VMs under Folder2"
  10. Add a rule to allow ingress from 203.0.113.1:

    gcloud compute firewall-policies rules create 1000 \
        --action allow \
        --description "allow-vul-scan-ingress" \
        --organization 100000000000 \
        --short-name "example-firewall-policy-folder2" \
        --src-ip-ranges 203.0.113.1/32
  11. Associate the firewall policy with Folder2:

    gcloud compute firewall-policies associations create \
        --organization 100000000000 \
        --short-name "example-firewall-policy-folder2" \
        --folder 300000000000
  12. Add a firewall rule to allow HTTP(S) connection ingress:

    gcloud compute firewall-rules create allow-internal-traffic \
        --action allow \
        --rules tcp:80,tcp:443,tcp:22
    

What's next