Firewall policies let you group several firewall rules so that you can update them all at once, effectively controlled by Identity and Access Management (IAM) roles. These policies contain rules that can explicitly deny or allow connections, as do Virtual Private Cloud (VPC) firewall rules.
Hierarchical firewall policies
Hierarchical firewall policies let you group rules into a policy object that can apply to many VPC networks in one or more projects. You can associate hierarchical firewall policies with an entire organization or individual folders.
For hierarchical firewall policy specifications and details, see Hierarchical firewall policies.
Global network firewall policies
Global network firewall policies let you group rules into a policy object that is applicable to all regions (global). A firewall policy does not take effect until it is associated with a VPC network. To associate a global network firewall policy with a network, see Associate a policy with the network. After you associate a global network firewall policy with a VPC network, the rules in the policy can apply to resources in the VPC network. You can only associate a network firewall policy with a VPC network.
For global network firewall policy specifications and details, see Global network firewall policies.
Regional network firewall policies
Regional network firewall policies let you group rules into a policy object applicable to a specific region. A regional network firewall policy does not take effect until it is associated with a VPC network in the same region. To associate a regional network firewall policy with a network, see Associate a policy with the network. After you associate a regional network firewall policy with a VPC network, the rules in the policy can apply to resources within that region of the VPC network.
For regional firewall policy specifications and details, see Regional network firewall policies.
Apply firewall policies and rules to a network
Regular VPC networks support firewall rules in hierarchical firewall policies, global network firewall policies, regional network firewall policies, and VPC firewall rules. All firewall rules are programmed as part of the Andromeda network virtualization stack.
For RoCE VPC networks, see Cloud NGFW for RoCE VPC networks instead of this section.
Network firewall policy enforcement order
Each regular VPC network has a network firewall policy enforcement order that controls when rules in global network firewall policies and regional network firewall policies are evaluated.
AFTER_CLASSIC_FIREWALL
(default): Cloud NGFW evaluates VPC firewall rules before it evaluates rules in global network firewall policies and regional network firewall policies.BEFORE_CLASSIC_FIREWALL
: Cloud NGFW evaluates rules in global network firewall policies and regional network firewall policies before it evaluates VPC firewall rules.
To change the network firewall policy enforcement order, do any one of the following:
Use the
networks.patch
method and set thenetworkFirewallPolicyEnforcementOrder
attribute of the VPC network.Use the
gcloud compute networks update
command with the--network-firewall-policy-enforcement-order
flag.For example:
gcloud compute networks update VPC_NETWORK_NAME \ --network-firewall-policy-enforcement-order=ENFORCEMENT_ORDER
Firewall rule evaluation process
For a given packet, Cloud NGFW evaluates the following rules exclusively based on the direction of traffic:
- Ingress firewall rules if a target resource receives the packet.
- Egress firewall rules if a target resource sends the packet.
Cloud NGFW evaluates firewall rules in a specific order. The order
depends on the network firewall policy enforcement order, which can be either
AFTER_CLASSIC_FIREWALL
or BEFORE_CLASSIC_FIREWALL
.
Rule evaluation order in the AFTER_CLASSIC_FIREWALL
enforcement order
In the AFTER_CLASSIC_FIREWALL
network firewall policy enforcement order,
Cloud NGFW evaluates VPC firewall rules after
evaluating rules in hierarchical firewall policies. This is the default
evaluation order.
The firewall rules are evaluated in the following order:
Hierarchical firewall policies.
Cloud NGFW evaluates hierarchical firewall policies in the following order:
- The hierarchical firewall policy associated with the organization that contains the target resource.
- Hierarchical firewall policies associated with folder ancestors, from the top-level folder down to the folder that contains the target resource's project.
When evaluating rules in each hierarchical firewall policy, Cloud NGFW performs the following steps:
- Disregard all rules whose targets don't match the target resource.
- Disregard all rules that don't match the packet's direction.
- Evaluate the remaining rules from the highest to the lowest priority.
Evaluation stops when either one of the following conditions is met:
- A rule that applies to the target resource matches the traffic.
- No rules that apply to the target resource match the traffic.
In a hierarchical firewall policy, at most, one rule can match traffic. The firewall rule's action on match can be one of the following:
allow
: the rule allows the traffic, and all rule evaluation stops.deny
: the rule denies the traffic, and all rule evaluation stops.apply_security_profile_group
: the rule forwards the traffic to a configured firewall endpoint, and all rule evaluation stops. The decision to allow or drop the packet depends on the configured security profile of the security profile group.goto_next
: the rule evaluation continues to one of the following:- A hierarchical firewall policy associated with a folder ancestor closer to the target resource, if it exists.
- The next step in the evaluation order, if all hierarchical firewall policies have been evaluated.
If no rule in a hierarchical firewall policy matches the traffic, Cloud NGFW uses an implied
goto_next
action. This action continues the evalutation to one of the following:- A hierarchical firewall policy associated with a folder ancestor closer to the target resource, if it exists.
- The next step in the evaluation order, if all hierarchical firewall policies have been evaluated.
VPC firewall rules.
When evaluating VPC firewall rules, Cloud NGFW performs the following steps:
- Disregard all rules whose targets don't match the target resource.
- Disregard all rules that don't match the packet's direction.
- Evaluate the remaining rules from the highest to the lowest priority.
Evaluation stops when either one of the following conditions is met:
- A rule that applies to the target resource matches the traffic.
- No rules that apply to the target resource match the traffic.
When one or two VPC firewall rules match traffic, the firewall rule's action on match can be one of the following:
allow
: the rule allows the traffic, and all rule evaluation stops.deny
: the rule denies the traffic, and all rule evaluation stops.
If two rules match, they must have the same priority but different actions. In this case, Cloud NGFW enforces the
deny
VPC firewall rule, and ignores theallow
VPC firewall rule.If no VPC firewall rules match the traffic, Cloud NGFW uses an implied
goto_next
action to continue to the next step in the evaluation order.Global network firewall policy.
When evaluating rules in a global network firewall policy, Cloud NGFW performs the following steps:
- Disregard all rules whose targets don't match the target resource.
- Disregard all rules that don't match the packet's direction.
- Evaluate the remaining rules from the highest to the lowest priority.
Evaluation stops when either one of the following conditions is met:
- A rule that applies to the target resource matches the traffic.
- No rules that apply to the target resource match the traffic.
In a global network firewall policy, at most, one rule can match traffic. The firewall rule's action on match can be one of the following:
allow
: the rule allows the traffic, and all rule evaluation stops.deny
: the rule denies the traffic, and all rule evaluation stops.apply_security_profile_group
: the rule forwards the traffic to a configured firewall endpoint, and all rule evaluation stops. The decision to allow or drop the packet depends on the configured security profile of the security profile group.goto_next
: the rule evaluation continues to the regional network firewall policy step in the evaluation order.
If no rule in a global network firewall policy matches the traffic, Cloud NGFW uses an implied
goto_next
action. This action continues the evalutation to the regional network firewall policy step in the evaluation order.Regional network firewall policies.
Cloud NGFW evaluates rules in regional network firewall policies that are associated with the region and VPC network of the target resource.
When evaluating rules in a regional network firewall policy, Cloud NGFW performs the following steps:
- Disregard all rules whose targets don't match the target resource.
- Disregard all rules that don't match the packet's direction.
- Evaluate the remaining rules from the highest to the lowest priority.
Evaluation stops when either one of the following conditions is met:
- A rule that applies to the target resource matches the traffic.
- No rules that apply to the target resource match the traffic.
In a regional network firewall policy, at most, one rule can match traffic. The firewall rule's action on match can be one of the following:
allow
: the rule allows the traffic, and all rule evaluation stops.deny
: the rule denies the traffic, and all rule evaluation stops.goto_next
: the rule evaluation continues to the next step in the evaluation order.
If no rule in a regional network firewall policy matches the traffic, Cloud NGFW uses an implied
goto_next
action. This action continues the evalutation to the next step in the evaluation order.Implied firewall rules.
Cloud NGFW enforces the following implied firewall rules when all rules that matched traffic had an explicit
goto_next
action, or when rule evaluation continued by following implicitgoto_next
actions.- Implied allow egress
- Implied deny ingress
The following diagram shows the evaluation order when the network firewall policy enforcement order is AFTER_CLASSIC_FIREWALL
:
AFTER_CLASSIC_FIREWALL
(click to enlarge).
Rule evaluation order in the BEFORE_CLASSIC_FIREWALL
enforcement order
In the BEFORE_CLASSIC_FIREWALL
network firewall policy enforcement order,
Cloud NGFW evaluates VPC firewall rules after
evaluating rules in network firewall policies.
The firewall rules are evaluated in the following order:
Hierarchical firewall policies.
Cloud NGFW evaluates hierarchical firewall policies in the following order:
- The hierarchical firewall policy associated with the organization that contains the target resource.
- The hierarchical firewall policies associated with folder ancestors, from the top-level folder down to the folder that contains the target resource's project.
When evaluating rules in each hierarchical firewall policy, Cloud NGFW performs the following steps:
- Disregard all rules whose targets don't match the target resource.
- Disregard all rules that don't match the packet's direction.
- Evaluate the remaining rules from the highest to the lowest priority.
Evaluation stops when either one of the following conditions is met:
- A rule that applies to the target resource matches the traffic.
- No rules that apply to the target resource match the traffic.
In a hierarchical firewall policy, at most, one rule can match traffic. The firewall rule's action on match can be one of the following:
allow
: the rule allows the traffic, and all rule evaluation stops.deny
: the rule denies the traffic, and all rule evaluation stops.apply_security_profile_group
: the rule forwards the traffic to a configured firewall endpoint, and all rule evaluation stops. The decision to allow or drop the packet depends on the configured security profile of the security profile group.goto_next
: the rule evaluation continues to one of the following:- A hierarchical firewall policy associated with a folder ancestor closer to the target resource, if it exists.
- The next step in the evaluation order, if all hierarchical firewall policies have been evaluated.
If no rule in a hierarchical firewall policy matches the traffic, Cloud NGFW uses an implied
goto_next
action. This action continues the evalutation to one of the following:- A hierarchical firewall policy associated with a folder ancestor closer to the target resource, if it exists.
- The next step in the evaluation order, if all hierarchical firewall policies have been evaluated.
Global network firewall policy.
When evaluating rules in a global network firewall policy, Cloud NGFW performs the following steps:
- Disregard all rules whose targets don't match the target resource.
- Disregard all rules that don't match the packet's direction.
- Evaluate the remaining rules from the highest to the lowest priority.
Evaluation stops when either one of the following conditions is met:
- A rule that applies to the target resource matches the traffic.
- No rules that apply to the target resource match the traffic.
In a global network firewall policy, at most, one rule can match traffic. The firewall rule's action on match can be one of the following:
allow
: the rule allows the traffic, and all rule evaluation stops.deny
: the rule denies the traffic, and all rule evaluation stops.apply_security_profile_group
: the rule forwards the traffic to a configured firewall endpoint, and all rule evaluation stops. The decision to allow or drop the packet depends on the configured security profile of the security profile group.goto_next
: the rule evaluation continues to the regional network firewall policy step in the evaluation order.
If no rule in a global network firewall policy matches the traffic, Cloud NGFW uses an implied
goto_next
action. This action continues the evalutation to the regional network firewall policy step in the evaluation order.Regional network firewall policies.
Cloud NGFW evaluates rules in regional network firewall policies that are associated with the region and VPC network of the target resource. If multiple policies are associated with the same region and network, the one with the highest association priority is evaluated first.
When evaluating rules in a regional network firewall policy, Cloud NGFW performs the following steps:
- Disregard all rules whose targets don't match the target resource.
- Disregard all rules that don't match the packet's direction.
- Evaluate the remaining rules from the highest to the lowest priority.
Evaluation stops when either one of the following conditions is met:
- A rule that applies to the target resource matches the traffic.
- No rules that apply to the target resource match the traffic.
In a regional network firewall policy, at most, one rule can match traffic. The firewall rule's action on match can be one of the following:
allow
: the rule allows the traffic, and all rule evaluation stops.deny
: the rule denies the traffic, and all rule evaluation stops.goto_next
: the rule evaluation continues to the next step in the evaluation order.
If no rule in a regional network firewall policy matches the traffic, Cloud NGFW uses an implied
goto_next
action. This action continues the evalutation to the next step in the evaluation order.VPC firewall rules.
When evaluating VPC firewall rules, Cloud NGFW performs the following steps:
- Disregard all rules whose targets don't match the target resource.
- Disregard all rules that don't match the packet's direction.
- Evaluate the remaining rules from the highest to the lowest priority.
Evaluation stops when either one of the following conditions is met:
- A rule that applies to the target resource matches the traffic.
- No rules that apply to the target resource match the traffic.
When one or two VPC firewall rules match traffic, the firewall rule's action on match can be one of the following:
allow
: the rule allows the traffic, and all rule evaluation stops.deny
: the rule denies the traffic, and all rule evaluation stops.
If two rules match, they must have the same priority but different actions. In this case, Cloud NGFW enforces the
deny
VPC firewall rule, and ignores theallow
VPC firewall rule.If no VPC firewall rules match the traffic, Cloud NGFW uses an implied
goto_next
action to continue to the next step in the evaluation order.Implied firewall rules.
Cloud NGFW enforces the following implied firewall rules when all rules that matched traffic had an explicit
goto_next
action, or when rule evaluation continued by following implicitgoto_next
actions.- Implied allow egress
- Implied deny ingress
The following diagram shows the evaluation order when the network firewall
policy enforcement order is BEFORE_CLASSIC_FIREWALL
:
BEFORE_CLASSIC_FIREWALL
(click to enlarge).
Effective firewall rules
Hierarchical firewall policy rules, VPC firewall rules, and global and regional network firewall policy rules control connections. You might find it helpful to see all the firewall rules that affect an individual network or VM interface.
Network effective firewall rules
You can view all firewall rules applied to a VPC network. The list includes all of the following kinds of rules:
- Rules inherited from hierarchical firewall policies
- VPC firewall rules
- Rules applied from the global and regional network firewall policies
Instance effective firewall rules
You can view all firewall rules applied to a VM's network interface. The list includes all of the following kinds of rules:
- Rules inherited from hierarchical firewall policies
- Rules applied from the interface's VPC firewall
- Rules applied from the global and regional network firewall policies
The rules are ordered from the organization level down to the VPC network. Only rules that apply to the VM interface are shown. Rules in other policies aren't shown.
To view the effective firewall policy rules within a region, see Get effective regional firewall policies for a network.
Predefined rules
When you create a hierarchical firewall policy, a global network firewall policy, or a regional network firewall policy, Cloud NGFW adds predefined rules to the policy. The predefined rules that Cloud NGFW adds to the policy depend on how you create the policy.
If you create a firewall policy using the Google Cloud console, Cloud NGFW adds the following rules to the new policy:
- Goto-next rules for private IPv4 ranges
- Predefined Google Threat Intelligence deny rules
- Predefined geolocation deny rules
- Lowest possible priority goto-next rules
If you create a firewall policy using the Google Cloud CLI or the API, Cloud NGFW adds only the lowest possible priority goto-next rules to the policy.
All predefined rules in a new firewall policy purposefully use low priorities (large priority numbers) so you can override them by creating rules with higher priorities. Except for the lowest possible priority goto-next rules, you can also customize the predefined rules.
Goto-next rules for private IPv4 ranges
An egress rule with destination IPv4 ranges
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
, priority1000
, andgoto_next
action.An ingress rule with source IPv4 ranges
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
, priority1001
, andgoto_next
action.
Predefined Google Threat Intelligence deny rules
An ingress rule with source Google Threat Intelligence list
iplist-tor-exit-nodes
, priority1002
, anddeny
action.An ingress rule with source Google Threat Intelligence list
iplist-known-malicious-ips
, priority1003
, anddeny
action.An egress rule with destination Google Threat Intelligence list
iplist-known-malicious-ips
, priority1004
, anddeny
action.
To learn more about Google Threat Intelligence, see Google Threat Intelligence for firewall policy rules.
Predefined geolocation deny rules
- An ingress rule with source matching geolocations
CU
,IR
,KP
,SY
,XC
, andXD
, priority1005
, anddeny
action.
To learn more about geolocations, see Geolocation objects.
Lowest possible priority goto-next rules
You cannot modify or delete the following rules:
An egress rule with destination IPv6 range
::/0
, priority2147483644
, andgoto_next
action.An ingress rule with source IPv6 range
::/0
, priority2147483645
, andgoto_next
action.An egress rule with destination IPv4 range
0.0.0.0/0
, priority2147483646
, andgoto_next
action.An ingress rule with source IPv4 range
0.0.0.0/0
, priority2147483647
, andgoto_next
action.
What's next
- To create and modify hierarchical firewall policies and rules, see Use hierarchical firewall policies and rules.
- To see examples of hierarchical firewall policy implementations, see Hierarchical firewall policy examples.
- To create and modify global network firewall policies and rules, see Use global network firewall policies and rules.
- To create and modify regional network firewall policies and rules, see Use regional network firewall policies and rules.