This page shows examples of hierarchical firewall policy implementations. It assumes that you are familiar with the concepts described in the Hierarchical firewall policies overview.
Example 1: Allow prober to access all VMs
In this use case, all the virtual machine (VM) instances in an organization must
be scanned and inventoried by using probes from a particular IP address
(10.100.0.1
) on a specific port (123
). The organization security admin
ensures that no network admins or other security admins can block that port in
any VM instance in the organization.
This example assumes that there are no folder-level security policies deployed.
The configuration setup for this use case is described in the following diagram.
Effective policy applied in VMs
In this example, the effective VM firewall policy after evaluation of the rules across the hierarchy is as follows.
Ingress connections
Ingress connections with source IP
10.100.0.1
and destination port123
are allowed, as defined in the policy. Upon a match in the organization policy, the probe connections are allowed and no further rules are evaluated in the hierarchy.For any ingress connections other than from source IP
10.100.0.1
and destination port123
, there is no match; therefore, the default ingress rule in VPC firewall rules applies, denying the connection.
Egress connection
- There is no match across the hierarchy-defined rules. Therefore, the default egress rule in VPC firewall rules applies, allowing egress connections.
How to configure
Create a security policy to contain the rule:
gcloud beta compute org-security-policies create \ --organization 123456789012 \ --display-name "example-security-policy" \ --description "rules that apply to all VMs in the organization"
Add the rule to the security policy:
gcloud beta compute org-security-policies rules create 1000 \ --action allow \ --description "allow-scan-probe" \ --layer4-configs tcp:123 \ --security-policy example-security-policy \ --organization 123456789012 \ --src-ip-ranges 10.100.0.1/32
Associate the security policy with the organization node:
gcloud beta compute org-security-policies associations create \ --security-policy example-security-policy \ --organization 123456789012
Example 2: Deny all external connections except certain ports
In this use case, a firewall policy blocks all connections from external
internet sources except for connections on ports 80
, 443
, and 22
. An
ingress internet connection on any port that is not 80
, 443
, and 22
is
blocked no matter what the firewall rules are at the VPC network
level. For any connections on port 80
, 443
, or 22
, the policy delegates to
the VPC security admin the behavior they want to
enforce in their respective VPC network for those ports.
The configuration setup for this use case is described in the following diagram.
Effective policy applied in VMs
In this example, the effective VM firewall policy after evaluation of the rules across the hierarchy is as follows.
Ingress connections
Any ingress connections from
10.0.0.0/8
match the highest priority organization-level ruledelegate-internal-traffic
and bypass the rest of the rules in the organization policy to be evaluated against the firewall rules configured at the VPC network level. In the VPC firewall rule, connections from10.2.0.0/16
are allowed, and the rest of the connections are evaluated against the implied ingress rule, which isdeny
.Ingress connections with a source IP range that is not
10.0.0.0/8
for ports22
,80
, and443
are delegated to the next level, where ports80
and443
are allowed, but22
is not.All other connections are blocked.
Egress connections
- There is no match across the hierarchy-defined rules. Therefore, the default egress rule in VPC firewall rules applies, allowing egress connections.
How to configure
Create a security policy to contain the rule:
gcloud beta compute org-security-policies create \ --organization 123456789012 \ --display-name "example-security-policy" \ --description "rules that apply to all VMs in the organization"
Add a rule to delegate internal connections to the project owner:
gcloud beta compute org-security-policies rules create 1000 \ --action goto_next \ --description "delegate-internal-traffic" \ --organization 123456789012 \ --security-policy "example-security-policy" \ --src-ip-ranges 10.0.0.0/8
Add a rule to delegate external port
80
/443
/22
connections rules to the project owner:gcloud beta compute org-security-policies rules create 2000 \ --action goto_next \ --description "delegate-external-traffic-spec-ports" \ --layer4-configs tcp:80,tcp:443,tcp:22 \ --organization 123456789012 \ --security-policy "example-security-policy"
Add a rule to deny all other external connections:
gcloud beta compute org-security-policies rules create 3000 \ --action deny \ --description "block-other-external-traffic-spec-ports" \ --organization 123456789012 \ --security-policy "example-security-policy" \ --src-ip-ranges 0.0.0.0/0
Associate the security policy with the organization node:
gcloud beta compute org-security-policies associations create \ --organization 123456789012 \ --security-policy "example-security-policy"
In the project, add a firewall rule to allow internal connections from the designated subnet:
gcloud beta compute firewall-rules create allow-internal-traffic \ --action allow \ --priority 1000 \ --source-ranges 10.2.0.0/16
In the project, add a firewall rule to allow external TCP
80
/443
connections:gcloud beta compute firewall-rules create allow-external-traffic \ --action allow \ --priority 1000 \ --rules tcp:80,tcp:443
Example 3: Deny egress connections except from a specific VPC network
In this use case, the organization security admin does not allow egress
connections in any VPC network, except for connections
originating in the VPC network myvpc
. The admin delegates the
decision to open egress to public server 203.0.113.1
to the myvpc
security
admin.
This example assumes that there are no folder-level security policies deployed. The configuration setup for this use case is described in the following diagram.
Effective policy applied in VMs
In this example, the effective VM firewall policy after evaluation of the rules across the hierarchy is as follows.
Ingress connections
- There is no match across the hierarchy-defined rules. Therefore, the default ingress rule in VPC firewall rules applies, denying egress connections.
Egress connections
All the egress connections destined to
203.0.113.1
are allowed; the rest of the connections are denied. All the egress connections destined to203.0.113.1
match thedelegate-egress-my-vpc
rule and bypass the rest of the rules in the organization policy.The egress connections are then evaluated against the firewall rules configured in
myvpc
. The default rule allows the egress connections. Theblock-egress-traffic-sepc-ports
rule in the organization-level policy denies the rest of the connections.
How to configure
Create a security policy to contain the rule:
gcloud beta compute org-security-policies create \ --organization 123456789012 \ --display-name "example-security-policy" \ --description "rules that apply to all VMs in the organization"
Add a rule to delegate certain egress connections:
gcloud beta compute org-security-policies rules create 1000 \ --action goto_next \ --description "delegate-egress-myvpc" \ --dest-ip-ranges 203.0.113.1/32 --direction egress --organization 123456789012 \ --display-name "example-security-policy" \ --target-resources projects/PROJECT_ID/networks/myvpc
Add a rule to deny all other egress connections:
gcloud beta compute org-security-policies rules create 2000 \ --action deny \ --description "block-egress-external-traffic-spec-ports" \ --direction egress \ --dest-ip-ranges 0.0.0.0/0 \ --organization 123456789012 \ --display-name "example-security-policy"
Associate the security policy with the organization node:
gcloud beta compute org-security-policies associations create \ --organization 123456789012 \ --display-name "example-security-policy"
Example 4: Configure organization-wide and folder-specific rules
In this use case, a security admin does not allow ingress connections to any
VMs in the organization except those from the allowlisted range 203.0.113.0/24
.
The admin delegates further decisions about what to do with connections from
203.0.113.0/24
to security admins at the folder levels.
There are two different folders:
- Folder1, in which the policy allows only ports
80
and443
on the backend VMs, and the rest of the ports are blocked. - Folder2, in which the policy enforces that no VM in Folder2 can
block any port from IP
203.0.113.1
. The Folder2 security admin delegates other decisions to the VPC network admin, who decides to open ports80
,443
, and22
and deny the rest of the ports.
The configuration setup for this use case is described in the following diagram.
Effective policy applied in VMs
In this example, the effective VM firewall policy after evaluation of the rules across the hierarchy is as follows.
For VMs belonging to my-vpc
All ingress connections from
203.0.113.0/24
with TCP ports80
and443
are allowed. Any other ingress connections are denied.All egress connections are accepted as per the VPC firewall rule applied due to there being no match in higher-level security policy rules.
For VMs belonging to vpc2
All ingress connections from
203.0.113.1
are allowed. Ingress connections from other203.0.113.0/24
sources other than203.0.113.1
are allowed only for ports80
,443
, and22
. All other ingress connections are denied.All egress connections are accepted as per the VPC firewall rule applied due to there being no match in higher-level security policy rules.
How to configure
Create a security policy to contain the rules for Org_A:
gcloud beta compute org-security-policies create \ --organization 100000000000 \ --display-name "example-security-policy-org-a" \ --description "rules that apply to all VMs in the organization"
Add a rule to delegate ingress from
203.0.113.0/24
to the project owner:gcloud beta compute org-security-policies rules create 1000 \ --action goto_next \ --description "delegate-ingress" \ --organization 100000000000 \ --display-name "example-security-policy-org-a" \ --src-ip-ranges 203.0.113.0/24
Add a rule to deny all other external connections:
gcloud beta compute org-security-policies rules create 2000 \ --action deny --description "block-ingress-external-traffic" --organization 100000000000 \ --display-name "example-security-policy-org-a" \ --src-ip-ranges 0.0.0.0/0
Associate the security policy with the organization node:
gcloud beta compute org-security-policies associations create \ --organization 100000000000 \ --display-name "example-security-policy-org-a"
Create a security policy to contain the rules for Folder1:
gcloud beta compute org-security-policies create \ --organization 100000000000 \ --display-name "example-security-policy-folder1" \ --description "rules that apply to all VMs under Folder1"
Add a rule to allow all HTTP(S) ingress:
gcloud beta compute org-security-policies rules create 1000 \ --action allow \ --description "allow-http-s-ingress" \ --layer4-configs tcp:80,tcp:443 \ --organization 100000000000 \ --display-name "example-security-policy-folder1"
Add a rule to deny ingress on all other ports/protocols:
gcloud beta compute org-security-policies rules create 2000 \ --action deny \ --description "block-ingress-external-traffic" \ --organization 100000000000 \ --display-name "example-security-policy-folder1" \ --src-ip-ranges 0.0.0.0/0
Associate the security policy with Folder1:
gcloud beta compute org-security-policies associations create \ --organization 100000000000 \ --display-name "example-security-policy-folder1" \ --folder 200000000000
Create a security policy to contain the rules for Folder2:
gcloud beta compute org-security-policies create \ --organization 100000000000 \ --display-name "example-security-policy-folder2" \ --description "rules that apply to all VMs under Folder2"
Add a rule to allow ingress from
203.0.113.1
:gcloud beta compute org-security-policies rules create 1000 \ --action allow \ --description "allow-vul-scan-ingress" \ --organization 100000000000 \ --display-name "example-security-policy-folder2" \ --src-ip-ranges 203.0.113.1/32
Associate the security policy with Folder2:
gcloud beta compute org-security-policies associations create \ --organization 100000000000 \ --display-name "example-security-policy-folder2" \ --folder 300000000000
Add a firewall rule to allow HTTP(S) connection ingress:
gcloud beta compute firewall-rules create allow-internal-traffic \ --action allow \ --rules tcp:80,tcp:443,tcp:22
What's next
- To create and modify hierarchical firewall policies and rules, see Using hierarchical firewall policies.