Global network firewall policies
Global network firewall policies enable you to batch update all firewall rules by grouping them into a single policy object. You can assign network firewall policies to a Virtual Private Cloud (VPC) network. These policies contain rules that can explicitly deny or allow connections.
- Global network firewall policies are container resources for firewall rules.
Each global network firewall policy resource is defined within a project.
- After you create a global network firewall policy, you can add, update, and delete firewall rules in the policy.
- For specification information about the rules in global network firewall policies, see Firewall policy rules.
- To apply global network firewall policy rules to a
VPC network, you must associate the firewall policy with that
- You can associate a global network firewall policy with multiple VPC networks. Make sure that the firewall policy and the associated networks belong to the same project.
- Each VPC network can be associated with only one global network firewall policy.
- If the firewall policy isn't associated with any VPC network, the rules in that policy have no effect. A firewall policy that is not associated with any network is an unassociated global network firewall policy.
- When a global network firewall policy is associated with one or more
VPC networks, the firewall policy rules are enforced in the
- Existing rules are enforced against applicable resources in the associated VPC networks.
- Any changes made to the rules are enforced against applicable resources in the associated VPC networks.
- Rules in global network firewall policies are enforced along with other firewall rules as described in Policy and rule evaluation order.
Global network firewall policy rule details
For more information about the components and parameters of rules in a global network firewall policy, see Firewall policy rules.
The following table summarizes key differences between global network firewall policy rules and VPC firewall rules:
|Global network firewall policy rules||VPC firewall rules|
|Priority number||Must be unique within a policy||Duplicate priorities allowed|
|Service accounts as targets||Yes||Yes|
|Service accounts as sources
(ingress rules only)
|Tag type||Secure tag||Network tag|
|Name and description||Policy name, policy and rule description||Rule name and description|
|Batch update||Yes—for policy clone, edit, and replace functions||No|
|Quota||Attribute count—based on a total complexity of each rule in the policy||Rule count—complex and simple firewall rules have the same quota impact|
All global network firewall policies have four pre-defined
goto_next rules with
lowest priority. These rules are applied to any connections that do not match
an explicitly defined rule in the policy, causing such connections to be passed
down to lower-level policies or network rules.
These pre-defined rules are also present in regional network firewall policies and hierarchical firewall policies. For more information, see pre-defined rules in the Hierarchical firewall policies documentation.
Identity and Access Management (IAM) roles
IAM roles govern the following actions with regard to global network firewall policies:
- Creating a global network firewall policy
- Associating a policy with a network
- Modifying an existing policy
- Viewing the effective firewall rules for a particular network or VM
The following table describes which roles are necessary for each action:
|Create a new global network firewall policy||compute.securityAdmin role on the project to which the policy belongs|
|Associate a policy with a network||compute.networkAdmin role on the project where the policy will live|
|Modify the policy by adding, updating, or deleting policy firewall rules||compute.securityAdmin role on the project where the policy will live|
|Delete the policy||compute.networkAdmin role on the project where the policy will live|
|View effective firewall rules for a VPC network||Any of the following roles for the network:
|View effective firewall rules for a VM in a network||Any of the following roles for the VM:
The following roles are relevant to global network firewall policies.
|compute.securityAdmin||Can be granted at the project or policy level. If granted for a project, lets users create, update, and delete global network firewall policies and their rules. At the policy level, lets users to update the policy rules, but not create or delete the policy. This role also lets users to associate a policy with a network.|
|compute.networkAdmin||Granted at the project level or network level. If granted for a network, allows users to view the list of global network firewall policies.|
|Allows users to view the firewall rules applied to the network or instance.