Stay organized with collections Save and categorize content based on your preferences.

Firewall policy rules

When you create a firewall policy rule, you specify a set of components that define what the rule does. These components specify traffic direction, source, destination, and Layer 4 characteristics such as protocol and destination port (if the protocol uses ports).

Each firewall policy rule applies to incoming (ingress) or outgoing (egress) connections, not both.

Ingress rules

Ingress direction refers to the incoming connections sent from specific sources to Google Cloud targets. Ingress rules apply to inbound packets, where the destination of the packets is the target.

An ingress rule with a deny action protects all instances by blocking incoming connections to them. A higher priority rule might allow incoming access. An automatically-created default network includes some pre-populated VPC firewall rules, which allow ingress for certain types of traffic.

Egress rules

Egress direction refers to the outbound traffic sent from a target to a destination. Egress rules apply to packets for new connections where the source of the packet is the target.

An egress rule with an allow action lets an instance send traffic to the destinations specified in the rule. Egress can be denied by higher priority deny firewall rules. Google Cloud also blocks or limits certain kinds of traffic.

Firewall policy rule components

Rules in hierarchical firewall policies, global network firewall policies, and regional network firewall policies use the components described in this section. The term firewall policy refers to any of these three types of policies. For more information about the types of firewall policies, see Firewall policies.

Firewall policy rules generally work the same as VPC firewall rules, but there are a few differences as described in the following sections.

Priority

The priority of a rule in a firewall policy is an integer from 0 to 2,147,483,647, inclusive. Lower integers indicate higher priorities. The priority of a rule in a firewall policy is similar to the priority of a VPC firewall rule, with the following differences:

  • Each rule in a firewall policy must have a unique priority.
  • The priority of a rule in a firewall policy serves as the rule's unique identifier. Rules in firewall policies do not use names for identification.
  • The priority of a rule in a firewall policy defines the evaluation order within the firewall policy itself. VPC firewall rules and rules in hierarchical firewall policies, global network firewall policies, and regional network firewall policies are evaluated as described in Policy and rule evaluation order.

Action on match

A rule in a firewall policy can have one of the following three actions:

  • allow permits traffic and stops further rule evaluation.
  • deny disallows traffic and stops further rule evaluation.
  • goto_next continues the rule evaluation process.

Enforcement

You can choose whether a firewall policy rule is enforced by setting its state to enabled or disabled. You set the enforcement state when you create a rule or when you update a rule.

If you don't set an enforcement state when you create a new firewall rule, the firewall rule is automatically enabled.

Source, destination, target

You can specify both source parameters and destination parameters that apply to the packet sources or destinations for both ingress and egress firewall rules. The direction of the firewall rule determines the possible values for the source and destination parameters.

Target parameters identify the network interfaces of instances to which the firewall rule applies.

The target, source, and destination parameters work together.

Targets

The target parameter identifies the network interfaces of the Compute Engine instances, including GKE nodes and App Engine flexible environment instances.

You can define targets for both ingress or egress rules. Valid target options depend on the type of firewall policy.

Targets for hierarchical firewall policy rules

Hierarchical firewall policy rules support the following targets:

  • Default broadest target: When you omit the target specification in a hierarchical firewall policy rule, the firewall rule applies to all instances in all VPC networks in all the projects under the Resource Manager node (folder or organization) associated with the firewall policy. This is the broadest set of targets.

  • Specific networks: If you specify one or more VPC networks by using the target-resources parameter, the broadest set of targets is narrowed to VMs with a network interface in at least one of the specified VPC networks.

  • Instances identified by service account: If you specify one or more service accounts by using the target-service-accounts parameter, the broadest set of targets is narrowed to VMs that use one of the specified service accounts.

  • Specific networks and instances identified by service account: If you specify both the target-resources parameter and the target-service-accounts parameter, the broadest set of targets is narrowed to the VMs that meet both of the following criteria:

    • The VMs have a network interface in one of the specified VPC networks.
    • The VMs use one of the specified service accounts.

Targets for global network firewall policy rules

Global network firewall policy rules support the following targets:

  • Default target—all instances in the VPC network: When you omit the target specification in a global network firewall policy rule, the firewall rule applies to instances that have a network interface in the VPC network associated with the policy. The instances can be located in any region. This is the broadest set of targets.

  • Instances by target secure tags: If you specify target tags with the target-secure-tags parameter, the broadest set of targets is narrowed to include only those VMs bound to the tags.

  • Instances by target service accounts: If you specify service accounts with the target-service-accounts parameter, the broadest set of targets is narrowed to include only those VMs that use one of the specified service accounts.

Targets for regional network firewall policy rules

Regional network firewall policy rules support the following targets:

  • Default target—all instances in the region and VPC network: When you omit the target specification in a regional network firewall policy rule, the firewall rule applies to instances that have a network interface in the VPC network associated with the policy. The instances must be located in the same region as the policy. This is the broadest set of targets.

  • Instances by target secure tags: If you specify target tags with the target-secure-tags parameter, the broadest set of targets is narrowed to include only those VMs bound to the tags.

  • Instances by target service accounts: If you specify service accounts with the target-service-accounts parameter, the broadest set of targets is narrowed to include only those VMs that use one of the specified service accounts.

Targets and IP addresses for ingress rules

The packets routed to the network interface of a target VM are processed based on the following conditions:

  • If the ingress firewall rule includes a destination IP address range, the packet's destination must fit within one of the explicitly defined destination IP address ranges (preview feature).

  • If the ingress firewall rule does not include a destination IP address range, the packet's destination must match one of the following IP addresses:

    • The primary internal IPv4 address assigned to the instance's NIC.

    • Any configured alias IP ranges on the instance's NIC.

    • The external IPv4 address that's associated with the instance's NIC.

    • If IPv6 is configured on the subnet, any of the IPv6 addresses assigned to the NIC.

    • An internal or external IP address associated with a forwarding rule used for pass-through load balancing, where the instance is a backend for an internal TCP/UDP load balancer or a network load balancer.

    • An internal or external IP address associated with a forwarding rule used for protocol forwarding, where the instance is referenced by a target instance.

    • An IP address within the destination range of a custom static route that uses the instance (next-hop-instance or next-hop-address) as a next hop VM.

    • An IP address within the destination range of a custom static route that uses an internal TCP/UDP load balancer (next-hop-ilb) as a next hop if the VM is a backend for that load balancer.

Targets and IP addresses for egress rules

The processing of packets emitted from the network interface of a target depends on the IP forwarding configuration on the target VM. IP forwarding is disabled by default.

  • When the target VM has IP forwarding disabled, the VM can emit packets with the following sources:

    • The primary internal IPv4 address of an instance's NIC.

    • Any configured alias IP range on an instance's NIC.

    • If IPv6 is configured on the subnet, any of the IPv6 addresses assigned to the NIC.

    • An internal or external IP address associated with a forwarding rule, for pass-through load balancing or protocol forwarding. This is valid if the instance is a backend for an internal TCP/UDP load balancer, a network load balancer, or is referenced by a target instance.

    If the egress firewall rule includes source IP address ranges, the target VMs are still limited to the source IP addresses mentioned previously, but the source parameter can be used to refine that set (preview feature). Use of a source parameter without enabling IP forwarding does not expand the set of possible packet source addresses.

    If the egress firewall rule does not include a source IP address range, all the source IP addresses mentioned previously are permitted.

  • When the target VM has IP forwarding enabled, the VM can emit packets with arbitrary source addresses. You can use the source parameter to more precisely define the set of allowed packet sources.

Sources

Source parameter values depend on the type of firewall policy that contains the firewall rule and on the direction of the firewall rule.

Sources for ingress rules in hierarchical firewall policies

You can use the following sources for ingress rules in hierarchical firewall policies:

  • Default source range: When you omit a source specification in an ingress rule, Google Cloud uses the default source IPv4 address range 0.0.0.0/0 (any IPv4 address). The default value does not include IPv6 sources.

  • Source IPv4 ranges: A list of IPv4 addresses in CIDR format.

  • Source IPv6 ranges: A list of IPv6 addresses in CIDR format.

Sources for ingress rules in network firewall policies

You can use the following sources for ingress rules in global and regional network firewall policies:

  • Default source range: When you omit a source specification in an ingress rule, Google Cloud uses the default source IPv4 address range 0.0.0.0/0 (any IPv4 address). The default value does not include IPv6 sources.

  • Source IPv4 ranges: A list of IPv4 addresses in CIDR format.

  • Source IPv6 ranges: A list of IPv6 addresses in CIDR format.

  • Source secure tags: One or more Resource Manager secure tags that identify network interfaces of VM instances in the same VPC network to which the network firewall policy applies, or in a VPC network connected to the firewall policy's network by using VPC Network Peering. Additionally, if the policy is a regional network firewall policy, the VM instances must be in the same region as the policy.

  • A valid source combination: For the following combinations, the effective source set is the union of the IPv4 or IPv6 addresses that are explicitly specified and the IP address ranges that are implied by the source secure tag:

    • A combination of source IPv4 ranges and source secure tags.

    • A combination of source IPv6 ranges and source secure tags.

How source secure tags imply packet sources

Ingress rules in global and regional network firewall policies can specify sources by using secure tags. Each secure tag is associated with a single VPC network. The secure tag can only be bound to a VM if that VM has a network interface in the same VPC network to which the secure tag is associated.

Firewall policy rules with secure tags are applied as follows:

  • Ingress rules in a global network policy apply to packets emitted from the network interface of a VM bound to the tag, where the VM meets one of the following criteria:

    • The VM's network interface uses the same VPC network as the firewall policy.
    • The VM's network interface uses a VPC network connected to the firewall policy's VPC network by using VPC Network Peering.
  • Ingress rules in a regional network policy apply to packets emitted from the network interface of a VM bound to the tag, where the VM in the same region as the firewall policy meets one of the following criteria:

    • The VM's network interface uses the same VPC network as the firewall policy.
    • The VM's network interface uses a VPC network connected to the firewall policy's VPC network by using VPC Network Peering.

In addition to specifying a network interface, the following source IP addresses are resolved:

  • The primary internal IPv4 address of that network interface
  • Any IPv6 addresses assigned to that network interface

No other packet source IP addresses are resolved when using source secure tags. For example, alias IP ranges and external IPv4 addresses associated with the network interface are excluded. If you need to create ingress firewall rules whose sources include alias IP address ranges or external IPv4 addresses, use source IPv4 ranges.

Sources for egress rules

You can use the following sources for egress rules in both hierarchical firewall policies and network firewall policies:

Destinations

Destinations can be specified by using IP address ranges, which are supported by both ingress and egress rules in both hierarchical and network firewall policies. The default destination behavior depends on the direction of the rule.

Destinations for ingress rules

You can use the following destinations for ingress firewall rules in both hierarchical and network firewall policies:

  • Default—implied by target: If you omit the destination parameter from an ingress rule, packet destinations are defined implicitly as described in Targets and IP addresses for ingress rules.

  • Destination IPv4 ranges: A list of IPv4 addresses in CIDR format (preview feature).

  • Destination IPv6 ranges: A list of IPv6 addresses in CIDR format (preview feature).

Destinations for egress rules

You can use the following destinations for egress firewall rules in both hierarchical and network firewall policies:

  • Default destination range: When you omit a destination specification in an egress rule, Google Cloud uses the default destination IPv4 address range 0.0.0.0/0 (any IPv4 address). The default value does not include IPv6 destinations.

  • Destination IPv4 ranges: A list of IPv4 addresses in CIDR format.

  • Destination IPv6 ranges: A list of IPv6 addresses in CIDR format.

Protocols and ports

Similar to VPC firewall rules, you must specify one or more protocol and port constraints when you create a rule. When specifying TCP or UDP in a rule, you can specify the protocol, the protocol and a destination port, or the protocol and a destination port range; you cannot specify only a port or port range. Also, you can only specify destination ports. Rules based on source ports are not supported.

You can use the following protocol names in firewall rules: tcp, udp, icmp (for IPv4 ICMP), esp, ah, sctp, and ipip. For all other protocols, use the IANA protocol numbers.

Many protocols use the same name and number in both IPv4 and IPv6, but some protocols, such as ICMP, do not. To specify IPv4 ICMP, use icmp or protocol number 1. For IPv6 ICMP, use protocol number 58.

Firewall rules do not support specifying ICMP types and codes, just the protocol.

The IPv6 Hop-by-Hop protocol is not supported in firewall rules.

If you do not specify protocol and port parameters, the rule applies to all protocols and destination ports.

Logging

Logging for firewall policy rules works the same as for VPC Firewall Rules Logging except for the following:

  • The reference field includes the firewall policy ID and a number indicating the level of the node to which the policy is attached. For example, 0 means that the policy is applied to an organization, and 1 means that the policy is applied to a top-level folder under the organization.

  • Logs for firewall policy rules include a target_resource field that identifies the VPC networks to which the rule applies.

  • Logging can only be enabled for allow and deny rules; it cannot be enabled for goto_next rules.

What's next