Global network firewall policies
Global network firewall policies enable you to batch update all firewall rules by grouping them into a single policy object. You can assign network firewall policies to a VPC network. These policies contain rules that can explicitly deny or allow connections.
- Global network firewall policies are created at the VPC level. Creating a policy does not automatically apply the rules to the network.
- Policies, once created, can be applied to (associated with) any VPC network in your project.
- Global network firewall policies are containers for firewall rules. When you associate a policy with the VPC network, all rules are immediately applied.
- You can associate the same global network firewall policy to multiple VPC networks in a project.
- Global network firewall policies support secure tags in firewall rules. For more details, see Use tags for firewalls.
Global network firewall policy details
Global network firewall policy rules are defined in a firewall policy resource that acts as a container for firewall rules. The rules defined in a firewall policy are not enforced until the policy is associated with a VPC network.
A single policy can be associated with multiple VPC networks. If you modify a rule in a policy, that rule change applies to all currently associated networks.
While one policy can be associated with multiple networks, a network can have only one global network firewall policy associated with it. Network firewall policy rules and VPC firewall rules are evaluated in a well-defined order. However, you can customize the firewall policy enforcement order.
A firewall policy that is not associated with any networks is an unassociated global network firewall policy.
Differences between firewall policy rules and VPC firewall rules
The differences between firewall policy rules and VPC firewall rules are as follows:
|Global network firewall policy rules||VPC firewall rules|
|Service account||Target service account only (no source service account)||Yes|
|Tag||Secure tag||Network tag|
|Name and description||Policy name, policy and rule description||Rule name and description|
|Batch update||Yes(policy clone, edit, and replace functions)||No|
|Quota||Attribute count||Rule count|
Global network firewall policy rule details
- Target secure tags: When the target tags are specified, the network firewall policy rule only applies to the VMs that are associated with these target tags. If the target secure tags are not specified, the network firewall policy rule applies to all the VMs in the VPC network.
- Source secure tags: You can identify those source instances in the same VPC network or peering VPC by matching the tags.
All global network firewall policies have four pre-defined
goto_next rules with
lowest priority. These rules are applied to any connections that do not match
an explicitly defined rule in the policy, causing such connections to be passed
down to lower-level policies or network rules.
These rules are the same as the Hierarchical firewall policy rules. For more details about pre-defined rules, see pre-defined rules.
Identity and Access Management (IAM) roles
IAM roles govern the following actions with regard to global network firewall policies:
- Creating a global network firewall policy
- Associating a policy with a network
- Modifying an existing policy
- Viewing the effective firewall rules for a particular network or VM
The following table describes which roles are necessary for each action:
|Create a new global network firewall policy||compute.securityAdmin role on the project to which the policy belongs|
|Associate a policy with a network||compute.networkAdmin role on the project where the policy will live|
|Modify the policy by adding, updating, or deleting policy firewall rules||compute.securityAdmin role on the project where the policy will live|
|Delete the policy||compute.networkAdmin role on the project where the policy will live|
|View effective firewall rules for a VPC network||Any of the following roles for the network:
|View effective firewall rules for a VM in a network||Any of the following roles for the VM:
The following roles are relevant to global network firewall policies.
|compute.securityAdmin||Can be granted at the project or policy level. If granted for a project, lets users create, update, and delete global network firewall policies and their rules. At the policy level, lets users to update the policy rules, but not create or delete the policy. This role also lets users to associate a policy with a network.|
|compute.networkAdmin||Granted at the project level or network level. If granted for a network, allows users to view the list of global network firewall policies.|
|Allows users to view the firewall rules applied to the network or instance.