Stay organized with collections Save and categorize content based on your preferences.

Global network firewall policies

Global network firewall policies enable you to batch update all firewall rules by grouping them into a single policy object. You can assign network firewall policies to a VPC network. These policies contain rules that can explicitly deny or allow connections.

Specifications

  • Global network firewall policies are created at the VPC level. Creating a policy does not automatically apply the rules to the network.
  • Policies, once created, can be applied to (associated with) any VPC network in your project.
  • Global network firewall policies are containers for firewall rules. When you associate a policy with the VPC network, all rules are immediately applied.
  • You can associate the same global network firewall policy to multiple VPC networks in a project.
  • Global network firewall policies support secure tags in firewall rules. For more details, see Use tags for firewalls.

Global network firewall policy details

Global network firewall policy rules are defined in a firewall policy resource that acts as a container for firewall rules. The rules defined in a firewall policy are not enforced until the policy is associated with a VPC network.

A single policy can be associated with multiple VPC networks. If you modify a rule in a policy, that rule change applies to all currently associated networks.

While one policy can be associated with multiple networks, a network can have only one global network firewall policy associated with it. Network firewall policy rules and VPC firewall rules are evaluated in a well-defined order. However, you can customize the firewall policy enforcement order.

A firewall policy that is not associated with any networks is an unassociated global network firewall policy.

Differences between firewall policy rules and VPC firewall rules

The differences between firewall policy rules and VPC firewall rules are as follows:

Global network firewall policy rules VPC firewall rules
Priority Unique Duplication allowed
Service account Target service account only (no source service account) Yes
Tag Secure tag Network tag
Name and description Policy name, policy and rule description Rule name and description
Batch update Yes(policy clone, edit, and replace functions) No
Reuse Yes No
Quota Attribute count Rule count

Global network firewall policy rule details

Global network firewall policies contain rules that generally work the same as common firewall policy rules and VPC firewall rules, but with a few differences, as follows.

  • Target secure tags: When the target tags are specified, the network firewall policy rule only applies to the VMs that are associated with these target tags. If the target secure tags are not specified, the network firewall policy rule applies to all the VMs in the VPC network.
  • Source secure tags: You can identify those source instances in the same VPC network or peering VPC by matching the tags.

Pre-defined rules

All global network firewall policies have four pre-defined goto_next rules with lowest priority. These rules are applied to any connections that do not match an explicitly defined rule in the policy, causing such connections to be passed down to lower-level policies or network rules.

These rules are the same as the Hierarchical firewall policy rules. For more details about pre-defined rules, see pre-defined rules.

Identity and Access Management (IAM) roles

IAM roles govern the following actions with regard to global network firewall policies:

  • Creating a global network firewall policy
  • Associating a policy with a network
  • Modifying an existing policy
  • Viewing the effective firewall rules for a particular network or VM

The following table describes which roles are necessary for each action:

Action Necessary role
Create a new global network firewall policy compute.securityAdmin role on the project to which the policy belongs
Associate a policy with a network compute.networkAdmin role on the project where the policy will live
Modify the policy by adding, updating, or deleting policy firewall rules compute.securityAdmin role on the project where the policy will live
Delete the policy compute.networkAdmin role on the project where the policy will live
View effective firewall rules for a VPC network Any of the following roles for the network:
compute.networkAdmin
compute.networkViewer
compute.securityAdmin
compute.securityReadOnly
compute.viewer
View effective firewall rules for a VM in a network Any of the following roles for the VM:
compute.instanceAdmin
compute.securityAdmin
compute.securityReadOnly
compute.viewer

The following roles are relevant to global network firewall policies.

Role name Description
compute.securityAdmin Can be granted at the project or policy level. If granted for a project, lets users create, update, and delete global network firewall policies and their rules. At the policy level, lets users to update the policy rules, but not create or delete the policy. This role also lets users to associate a policy with a network.
compute.networkAdmin Granted at the project level or network level. If granted for a network, allows users to view the list of global network firewall policies.
compute.viewer
compute.networkUser
compute.networkViewer
Allows users to view the firewall rules applied to the network or instance.
Includes the compute.networks.getEffectiveFirewalls permission for networks and the compute.instances.getEffectiveFirewalls for instances.