Firewall policies

Firewall policies let you group several firewall rules so that you can update them all at once, effectively controlled by Identity and Access Management (IAM) roles. These policies contain rules that can explicitly deny or allow connections, as do Virtual Private Cloud (VPC) firewall rules.

Hierarchical firewall policies

Hierarchical firewall policies let you group rules into a policy object that can apply to many VPC networks in one or more projects. You can associate hierarchical firewall policies with an entire organization or individual folders.

For hierarchical firewall policy specifications and details, see Hierarchical firewall policies.

Global network firewall policies

Global network firewall policies let you group rules into a policy object that is applicable to all regions (global). A firewall policy does not take effect until it is associated with a VPC network. To associate a global network firewall policy with a network, see Associate a policy with the network. After you associate a global network firewall policy with a VPC network, the rules in the policy can apply to resources in the VPC network. You can only associate a network firewall policy with a VPC network.

For global network firewall policy specifications and details, see Global network firewall policies.

Regional network firewall policies

Regional network firewall policies let you group rules into a policy object applicable to a specific region. A regional network firewall policy does not take effect until it is associated with a VPC network in the same region. To associate a regional network firewall policy with a network, see Associate a policy with the network. After you associate a regional network firewall policy with a VPC network, the rules in the policy can apply to resources within that region of the VPC network.

For regional firewall policy specifications and details, see Regional network firewall policies.

Apply firewall policies and rules to a network

Regular VPC networks support firewall rules in hierarchical firewall policies, global network firewall policies, regional network firewall policies, and VPC firewall rules. All firewall rules are programmed as part of the Andromeda network virtualization stack.

For RoCE VPC networks, see Cloud NGFW for RoCE VPC networks instead of this section.

Network firewall policy enforcement order

Each regular VPC network has a network firewall policy enforcement order that controls when rules in global network firewall policies and regional network firewall policies are evaluated.

  • AFTER_CLASSIC_FIREWALL (default): Cloud NGFW evaluates VPC firewall rules before it evaluates rules in global network firewall policies and regional network firewall policies.

  • BEFORE_CLASSIC_FIREWALL: Cloud NGFW evaluates rules in global network firewall policies and regional network firewall policies before it evaluates VPC firewall rules.

To change the network firewall policy enforcement order, do any one of the following:

  • Use the networks.patch method and set the networkFirewallPolicyEnforcementOrder attribute of the VPC network.

  • Use the gcloud compute networks update command with the --network-firewall-policy-enforcement-order flag.

    For example:

    gcloud compute networks update VPC_NETWORK_NAME \
    --network-firewall-policy-enforcement-order=ENFORCEMENT_ORDER

Firewall rule evaluation process

For a given packet, Cloud NGFW evaluates the following rules exclusively based on the direction of traffic:

  • Ingress firewall rules if a target resource receives the packet.
  • Egress firewall rules if a target resource sends the packet.

Cloud NGFW evaluates firewall rules in a specific order. The order depends on the network firewall policy enforcement order, which can be either AFTER_CLASSIC_FIREWALL or BEFORE_CLASSIC_FIREWALL.

Rule evaluation order in the AFTER_CLASSIC_FIREWALL enforcement order

In the AFTER_CLASSIC_FIREWALL network firewall policy enforcement order, Cloud NGFW evaluates VPC firewall rules after evaluating rules in hierarchical firewall policies. This is the default evaluation order.

The firewall rules are evaluated in the following order:

  1. Hierarchical firewall policies.

    Cloud NGFW evaluates hierarchical firewall policies in the following order:

    1. The hierarchical firewall policy associated with the organization that contains the target resource.
    2. Hierarchical firewall policies associated with folder ancestors, from the top-level folder down to the folder that contains the target resource's project.

    When evaluating rules in each hierarchical firewall policy, Cloud NGFW performs the following steps:

    1. Disregard all rules whose targets don't match the target resource.
    2. Disregard all rules that don't match the packet's direction.
    3. Evaluate the remaining rules from the highest to the lowest priority.

      Evaluation stops when either one of the following conditions is met:

      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

    In a hierarchical firewall policy, at most, one rule can match traffic. The firewall rule's action on match can be one of the following:

    • allow: the rule allows the traffic, and all rule evaluation stops.
    • deny: the rule denies the traffic, and all rule evaluation stops.
    • apply_security_profile_group: the rule forwards the traffic to a configured firewall endpoint, and all rule evaluation stops. The decision to allow or drop the packet depends on the configured security profile of the security profile group.
    • goto_next: the rule evaluation continues to one of the following:
      • A hierarchical firewall policy associated with a folder ancestor closer to the target resource, if it exists.
      • The next step in the evaluation order, if all hierarchical firewall policies have been evaluated.

    If no rule in a hierarchical firewall policy matches the traffic, Cloud NGFW uses an implied goto_next action. This action continues the evalutation to one of the following:

    • A hierarchical firewall policy associated with a folder ancestor closer to the target resource, if it exists.
    • The next step in the evaluation order, if all hierarchical firewall policies have been evaluated.

  2. VPC firewall rules.

    When evaluating VPC firewall rules, Cloud NGFW performs the following steps:

    1. Disregard all rules whose targets don't match the target resource.
    2. Disregard all rules that don't match the packet's direction.
    3. Evaluate the remaining rules from the highest to the lowest priority.

      Evaluation stops when either one of the following conditions is met:

      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

    When one or two VPC firewall rules match traffic, the firewall rule's action on match can be one of the following:

    • allow: the rule allows the traffic, and all rule evaluation stops.
    • deny: the rule denies the traffic, and all rule evaluation stops.

    If two rules match, they must have the same priority but different actions. In this case, Cloud NGFW enforces the deny VPC firewall rule, and ignores the allow VPC firewall rule.

    If no VPC firewall rules match the traffic, Cloud NGFW uses an implied goto_next action to continue to the next step in the evaluation order.

  3. Global network firewall policy.

    When evaluating rules in a global network firewall policy, Cloud NGFW performs the following steps:

    1. Disregard all rules whose targets don't match the target resource.
    2. Disregard all rules that don't match the packet's direction.
    3. Evaluate the remaining rules from the highest to the lowest priority.

      Evaluation stops when either one of the following conditions is met:

      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

    In a global network firewall policy, at most, one rule can match traffic. The firewall rule's action on match can be one of the following:

    • allow: the rule allows the traffic, and all rule evaluation stops.
    • deny: the rule denies the traffic, and all rule evaluation stops.
    • apply_security_profile_group: the rule forwards the traffic to a configured firewall endpoint, and all rule evaluation stops. The decision to allow or drop the packet depends on the configured security profile of the security profile group.
    • goto_next: the rule evaluation continues to the regional network firewall policy step in the evaluation order.

    If no rule in a global network firewall policy matches the traffic, Cloud NGFW uses an implied goto_next action. This action continues the evalutation to the regional network firewall policy step in the evaluation order.

  4. Regional network firewall policies.

    Cloud NGFW evaluates rules in regional network firewall policies that are associated with the region and VPC network of the target resource.

    When evaluating rules in a regional network firewall policy, Cloud NGFW performs the following steps:

    1. Disregard all rules whose targets don't match the target resource.
    2. Disregard all rules that don't match the packet's direction.
    3. Evaluate the remaining rules from the highest to the lowest priority.

      Evaluation stops when either one of the following conditions is met:

      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

    In a regional network firewall policy, at most, one rule can match traffic. The firewall rule's action on match can be one of the following:

    • allow: the rule allows the traffic, and all rule evaluation stops.
    • deny: the rule denies the traffic, and all rule evaluation stops.
    • goto_next: the rule evaluation continues to the next step in the evaluation order.

    If no rule in a regional network firewall policy matches the traffic, Cloud NGFW uses an implied goto_next action. This action continues the evalutation to the next step in the evaluation order.

  5. Implied firewall rules.

    Cloud NGFW enforces the following implied firewall rules when all rules that matched traffic had an explicit goto_next action, or when rule evaluation continued by following implicit goto_next actions.

    • Implied allow egress
    • Implied deny ingress

The following diagram shows the evaluation order when the network firewall policy enforcement order is AFTER_CLASSIC_FIREWALL:

Firewall rule resolution flow.
Figure 1. Firewall rule resolution flow if the network firewall policy enforcement order is AFTER_CLASSIC_FIREWALL (click to enlarge).

Rule evaluation order in the BEFORE_CLASSIC_FIREWALL enforcement order

In the BEFORE_CLASSIC_FIREWALL network firewall policy enforcement order, Cloud NGFW evaluates VPC firewall rules after evaluating rules in network firewall policies.

The firewall rules are evaluated in the following order:

  1. Hierarchical firewall policies.

    Cloud NGFW evaluates hierarchical firewall policies in the following order:

    1. The hierarchical firewall policy associated with the organization that contains the target resource.
    2. The hierarchical firewall policies associated with folder ancestors, from the top-level folder down to the folder that contains the target resource's project.

    When evaluating rules in each hierarchical firewall policy, Cloud NGFW performs the following steps:

    1. Disregard all rules whose targets don't match the target resource.
    2. Disregard all rules that don't match the packet's direction.
    3. Evaluate the remaining rules from the highest to the lowest priority.

      Evaluation stops when either one of the following conditions is met:

      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

    In a hierarchical firewall policy, at most, one rule can match traffic. The firewall rule's action on match can be one of the following:

    • allow: the rule allows the traffic, and all rule evaluation stops.
    • deny: the rule denies the traffic, and all rule evaluation stops.
    • apply_security_profile_group: the rule forwards the traffic to a configured firewall endpoint, and all rule evaluation stops. The decision to allow or drop the packet depends on the configured security profile of the security profile group.
    • goto_next: the rule evaluation continues to one of the following:
      • A hierarchical firewall policy associated with a folder ancestor closer to the target resource, if it exists.
      • The next step in the evaluation order, if all hierarchical firewall policies have been evaluated.

    If no rule in a hierarchical firewall policy matches the traffic, Cloud NGFW uses an implied goto_next action. This action continues the evalutation to one of the following:

    • A hierarchical firewall policy associated with a folder ancestor closer to the target resource, if it exists.
    • The next step in the evaluation order, if all hierarchical firewall policies have been evaluated.

  2. Global network firewall policy.

    When evaluating rules in a global network firewall policy, Cloud NGFW performs the following steps:

    1. Disregard all rules whose targets don't match the target resource.
    2. Disregard all rules that don't match the packet's direction.
    3. Evaluate the remaining rules from the highest to the lowest priority.

      Evaluation stops when either one of the following conditions is met:

      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

    In a global network firewall policy, at most, one rule can match traffic. The firewall rule's action on match can be one of the following:

    • allow: the rule allows the traffic, and all rule evaluation stops.
    • deny: the rule denies the traffic, and all rule evaluation stops.
    • apply_security_profile_group: the rule forwards the traffic to a configured firewall endpoint, and all rule evaluation stops. The decision to allow or drop the packet depends on the configured security profile of the security profile group.
    • goto_next: the rule evaluation continues to the regional network firewall policy step in the evaluation order.

    If no rule in a global network firewall policy matches the traffic, Cloud NGFW uses an implied goto_next action. This action continues the evalutation to the regional network firewall policy step in the evaluation order.

  3. Regional network firewall policies.

    Cloud NGFW evaluates rules in regional network firewall policies that are associated with the region and VPC network of the target resource. If multiple policies are associated with the same region and network, the one with the highest association priority is evaluated first.

    When evaluating rules in a regional network firewall policy, Cloud NGFW performs the following steps:

    1. Disregard all rules whose targets don't match the target resource.
    2. Disregard all rules that don't match the packet's direction.
    3. Evaluate the remaining rules from the highest to the lowest priority.

      Evaluation stops when either one of the following conditions is met:

      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

    In a regional network firewall policy, at most, one rule can match traffic. The firewall rule's action on match can be one of the following:

    • allow: the rule allows the traffic, and all rule evaluation stops.
    • deny: the rule denies the traffic, and all rule evaluation stops.
    • goto_next: the rule evaluation continues to the next step in the evaluation order.

    If no rule in a regional network firewall policy matches the traffic, Cloud NGFW uses an implied goto_next action. This action continues the evalutation to the next step in the evaluation order.

  4. VPC firewall rules.

    When evaluating VPC firewall rules, Cloud NGFW performs the following steps:

    1. Disregard all rules whose targets don't match the target resource.
    2. Disregard all rules that don't match the packet's direction.
    3. Evaluate the remaining rules from the highest to the lowest priority.

      Evaluation stops when either one of the following conditions is met:

      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

    When one or two VPC firewall rules match traffic, the firewall rule's action on match can be one of the following:

    • allow: the rule allows the traffic, and all rule evaluation stops.
    • deny: the rule denies the traffic, and all rule evaluation stops.

    If two rules match, they must have the same priority but different actions. In this case, Cloud NGFW enforces the deny VPC firewall rule, and ignores the allow VPC firewall rule.

    If no VPC firewall rules match the traffic, Cloud NGFW uses an implied goto_next action to continue to the next step in the evaluation order.

  5. Implied firewall rules.

    Cloud NGFW enforces the following implied firewall rules when all rules that matched traffic had an explicit goto_next action, or when rule evaluation continued by following implicit goto_next actions.

    • Implied allow egress
    • Implied deny ingress

The following diagram shows the evaluation order when the network firewall policy enforcement order is BEFORE_CLASSIC_FIREWALL:

Firewall rule resolution flow.
Figure 2. Firewall rule resolution flow if the network firewall policy enforcement order is BEFORE_CLASSIC_FIREWALL (click to enlarge).

Effective firewall rules

Hierarchical firewall policy rules, VPC firewall rules, and global and regional network firewall policy rules control connections. You might find it helpful to see all the firewall rules that affect an individual network or VM interface.

Network effective firewall rules

You can view all firewall rules applied to a VPC network. The list includes all of the following kinds of rules:

  • Rules inherited from hierarchical firewall policies
  • VPC firewall rules
  • Rules applied from the global and regional network firewall policies

Instance effective firewall rules

You can view all firewall rules applied to a VM's network interface. The list includes all of the following kinds of rules:

  • Rules inherited from hierarchical firewall policies
  • Rules applied from the interface's VPC firewall
  • Rules applied from the global and regional network firewall policies

The rules are ordered from the organization level down to the VPC network. Only rules that apply to the VM interface are shown. Rules in other policies aren't shown.

To view the effective firewall policy rules within a region, see Get effective regional firewall policies for a network.

Predefined rules

When you create a hierarchical firewall policy, a global network firewall policy, or a regional network firewall policy, Cloud NGFW adds predefined rules to the policy. The predefined rules that Cloud NGFW adds to the policy depend on how you create the policy.

If you create a firewall policy using the Google Cloud console, Cloud NGFW adds the following rules to the new policy:

  1. Goto-next rules for private IPv4 ranges
  2. Predefined Google Threat Intelligence deny rules
  3. Predefined geolocation deny rules
  4. Lowest possible priority goto-next rules

If you create a firewall policy using the Google Cloud CLI or the API, Cloud NGFW adds only the lowest possible priority goto-next rules to the policy.

All predefined rules in a new firewall policy purposefully use low priorities (large priority numbers) so you can override them by creating rules with higher priorities. Except for the lowest possible priority goto-next rules, you can also customize the predefined rules.

Goto-next rules for private IPv4 ranges

  • An egress rule with destination IPv4 ranges 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, priority 1000, and goto_next action.

  • An ingress rule with source IPv4 ranges 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, priority 1001, and goto_next action.

Predefined Google Threat Intelligence deny rules

  • An ingress rule with source Google Threat Intelligence list iplist-tor-exit-nodes, priority 1002, and deny action.

  • An ingress rule with source Google Threat Intelligence list iplist-known-malicious-ips, priority 1003, and deny action.

  • An egress rule with destination Google Threat Intelligence list iplist-known-malicious-ips, priority 1004, and deny action.

To learn more about Google Threat Intelligence, see Google Threat Intelligence for firewall policy rules.

Predefined geolocation deny rules

  • An ingress rule with source matching geolocations CU,IR, KP, SY, XC, and XD, priority 1005, and deny action.

To learn more about geolocations, see Geolocation objects.

Lowest possible priority goto-next rules

You cannot modify or delete the following rules:

  • An egress rule with destination IPv6 range ::/0, priority 2147483644, and goto_next action.

  • An ingress rule with source IPv6 range ::/0, priority 2147483645, and goto_next action.

  • An egress rule with destination IPv4 range 0.0.0.0/0, priority 2147483646, and goto_next action.

  • An ingress rule with source IPv4 range 0.0.0.0/0, priority 2147483647, and goto_next action.

What's next