Global network firewall policies

Global network firewall policies enable you to batch update all firewall rules by grouping them into a single policy object. You can assign network firewall policies to a Virtual Private Cloud (VPC) network. These policies contain rules that can explicitly deny or allow connections.

Specifications

  • Global network firewall policies are container resources for firewall rules. Each global network firewall policy resource is defined within a project.
    • After you create a global network firewall policy, you can add, update, and delete firewall rules in the policy.
    • For specification information about the rules in global network firewall policies, see Firewall policy rules.
  • To apply global network firewall policy rules to a VPC network, you must associate the firewall policy with that VPC network.
    • You can associate a global network firewall policy with multiple VPC networks. Make sure that the firewall policy and the associated networks belong to the same project.
    • Each VPC network can be associated with only one global network firewall policy.
    • If the firewall policy isn't associated with any VPC network, the rules in that policy have no effect. A firewall policy that is not associated with any network is an unassociated global network firewall policy.
  • When a global network firewall policy is associated with one or more VPC networks, the firewall policy rules are enforced in the following ways:
    • Existing rules are enforced against applicable resources in the associated VPC networks.
    • Any changes made to the rules are enforced against applicable resources in the associated VPC networks.
  • Rules in global network firewall policies are enforced along with other firewall rules as described in Policy and rule evaluation order.
  • Global network firewall policy rules are used to configure Layer 7 inspection of the matched traffic, such as while using the intrusion prevention service.

    You create a firewall policy rule with apply_security_profile_group action and name of the security profile group. The traffic matching the firewall policy rule is transparently forwarded to the firewall endpoint for Layer 7 inspection. To learn how create a firewall policy rule, see Create global network firewall rules.

Global network firewall policy rule details

For more information about the components and parameters of rules in a global network firewall policy, see Firewall policy rules.

The following table summarizes key differences between global network firewall policy rules and VPC firewall rules:

Global network firewall policy rules VPC firewall rules
Priority number Must be unique within a policy Duplicate priorities allowed
Service accounts as targets Yes Yes
Service accounts as sources
(ingress rules only)
No Yes
Tag type Secure tag Network tag
Name and description Policy name, policy and rule description Rule name and description
Batch update Yes—for policy clone, edit, and replace functions No
Reuse Yes No
Quota Attribute count—based on a total complexity of each rule in the policy Rule count—complex and simple firewall rules have the same quota impact

Predefined rules

When you create a global network firewall policy, Cloud Next Generation Firewall adds predefined rules with the lowest priority to the policy. These rules are applied to any connections that don't match an explicitly defined rule in the policy, causing such connections to be passed down to lower-level policies or network rules.

To learn about the various types of predefined rules and their characteristics, see Predefined rules.

Identity and Access Management (IAM) roles

IAM roles govern the following actions with regard to global network firewall policies:

  • Creating a global network firewall policy
  • Associating a policy with a network
  • Modifying an existing policy
  • Viewing the effective firewall rules for a particular network or VM

The following table describes which roles are necessary for each action:

Action Necessary role
Create a new global network firewall policy compute.securityAdmin role on the project to which the policy belongs
Associate a policy with a network compute.networkAdmin role on the project where the policy will live
Modify the policy by adding, updating, or deleting policy firewall rules compute.securityAdmin role on the project where the policy will live
Delete the policy compute.networkAdmin role on the project where the policy will live
View effective firewall rules for a VPC network Any of the following roles for the network:
compute.networkAdmin
compute.networkViewer
compute.securityAdmin
compute.viewer
View effective firewall rules for a VM in a network Any of the following roles for the VM:
compute.instanceAdmin
compute.securityAdmin
compute.viewer

The following roles are relevant to global network firewall policies.

Role name Description
compute.securityAdmin Can be granted at the project or policy level. If granted for a project, lets users create, update, and delete global network firewall policies and their rules. At the policy level, lets users to update the policy rules, but not create or delete the policy. This role also lets users to associate a policy with a network.
compute.networkAdmin Granted at the project level or network level. If granted for a network, allows users to view the list of global network firewall policies.
compute.viewer
compute.networkUser
compute.networkViewer
Allows users to view the firewall rules applied to the network or instance.
Includes the compute.networks.getEffectiveFirewalls permission for networks and the compute.instances.getEffectiveFirewalls for instances.