Global network firewall policies enable you to batch update all firewall rules by grouping them into a single policy object. You can assign network firewall policies to a Virtual Private Cloud (VPC) network. These policies contain rules that can explicitly deny or allow connections.
Specifications
- Global network firewall policies are container resources for firewall rules.
Each global network firewall policy resource is defined within a project.
- After you create a global network firewall policy, you can add, update, and delete firewall rules in the policy.
- For specification information about the rules in global network firewall policies, see Firewall policy rules.
- To apply global network firewall policy rules to a
VPC network, you must associate the firewall policy with that
VPC network.
- You can associate a global network firewall policy with multiple VPC networks. Make sure that the firewall policy and the associated networks belong to the same project.
- Each VPC network can be associated with only one global network firewall policy.
- If the firewall policy isn't associated with any VPC network, the rules in that policy have no effect. A firewall policy that is not associated with any network is an unassociated global network firewall policy.
- When a global network firewall policy is associated with one or more
VPC networks, the firewall policy rules are enforced in the
following ways:
- Existing rules are enforced against applicable resources in the associated VPC networks.
- Any changes made to the rules are enforced against applicable resources in the associated VPC networks.
- Rules in global network firewall policies are enforced along with other firewall rules as described in Policy and rule evaluation order.
Global network firewall policy rules are used to configure layer 7 inspection of the matched traffic, such as while using the intrusion prevention service.
You create a firewall policy rule with
apply_security_profile_groupaction and name of the security profile group. The traffic matching the firewall policy rule is transparently forwarded to the firewall endpoint for layer 7 inspection. To learn how create a firewall policy rule, see Create global network firewall rules.
Global network firewall policy rule details
For more information about the components and parameters of rules in a global network firewall policy, see Firewall policy rules.
The following table summarizes key differences between global network firewall policy rules and VPC firewall rules:
| Global network firewall policy rules | VPC firewall rules | |
|---|---|---|
| Priority number | Must be unique within a policy | Duplicate priorities allowed |
| Service accounts as targets | Yes | Yes |
| Service accounts as sources (ingress rules only) |
No | Yes |
| Tag type | Secure tag | Network tag |
| Name and description | Policy name, policy and rule description | Rule name and description |
| Batch update | Yes—for policy clone, edit, and replace functions | No |
| Reuse | Yes | No |
| Quota | Attribute count—based on a total complexity of each rule in the policy | Rule count—complex and simple firewall rules have the same quota impact |
Predefined rules
When you create a global network firewall policy, Cloud Next Generation Firewall adds predefined rules with the lowest priority to the policy. These rules are applied to any connections that don't match an explicitly defined rule in the policy, causing such connections to be passed down to lower-level policies or network rules.
To learn about the various types of predefined rules and their characteristics, see Predefined rules.
Identity and Access Management (IAM) roles
IAM roles govern the following actions with regard to global network firewall policies:
- Creating a global network firewall policy
- Associating a policy with a network
- Modifying an existing policy
- Viewing the effective firewall rules for a particular network or VM
The following table describes which roles are necessary for each action:
| Action | Necessary role |
|---|---|
| Create a new global network firewall policy | compute.securityAdmin role on the project to which the policy belongs |
| Associate a policy with a network | compute.networkAdmin role on the project where the policy will live |
| Modify the policy by adding, updating, or deleting policy firewall rules | compute.securityAdmin role on the project where the policy will live |
| Delete the policy | compute.networkAdmin role on the project where the policy will live |
| View effective firewall rules for a VPC network | Any of the following roles for the network: compute.networkAdmin compute.networkViewer compute.securityAdmin compute.viewer |
| View effective firewall rules for a VM in a network | Any of the following roles for the VM: compute.instanceAdmin compute.securityAdmin compute.viewer |
The following roles are relevant to global network firewall policies.
| Role name | Description |
|---|---|
| compute.securityAdmin | Can be granted at the project or policy level. If granted for a project, lets users create, update, and delete global network firewall policies and their rules. At the policy level, lets users to update the policy rules, but not create or delete the policy. This role also lets users to associate a policy with a network. |
| compute.networkAdmin | Granted at the project level or network level. If granted for a network, allows users to view the list of global network firewall policies. |
|
compute.viewer compute.networkUser compute.networkViewer |
Allows users to view the firewall rules applied to the network or instance. Includes the compute.networks.getEffectiveFirewalls permission
for networks and the compute.instances.getEffectiveFirewalls for instances. |