Regional network firewall policies let you create and enforce a consistent firewall policy across all subnetworks within a region in your VPC network. You can assign regional network firewall policies to a VPC network. These policies contain rules that can explicitly deny or allow connections, or go to the next level of the hierarchy.
Specifications
- Regional network firewall policies are mostly similar to the global network firewall policies.The regional network firewall policies have one and only one target region, while the global network firewall policies apply automatically to all regions.
- Regional network firewall policies are created at the VPC level. Creating a policy does not automatically apply the rules to the network.
- Policies, once created, can be applied to (associated with) any VPC network in your project.
- Regional network firewall policies are containers for firewall rules. When you associate a policy with the VPC network, all rules are immediately applied.
- You can associate the same regional network firewall policy to multiple VPC networks in a project.
- Regional network firewall policies do not support Layer 7 inspection.
- Regional network firewall policies support Tags in firewall rules. For more details, see Use Tags for firewalls.
Regional network firewall policy details
Regional network firewall policy rules are defined in a firewall policy resource that acts as a container for firewall rules. The rules defined in a regional network firewall policy are not enforced until the policy is associated with a VPC network.
A single policy can be associated with multiple VPC networks. If you modify a rule in a policy, that rule change applies to all currently associated networks.
In a specific region, only one regional network firewall policy can be associated with a network. Global network firewall policy rules, VPC firewall rules, and regional network firewall policy rules are evaluated in a well-defined order.
A firewall policy that is not associated with any networks is an unassociated regional network firewall policy.
Regional network firewall policy rule details
Regional network firewall policies contain rules that generally work the same as network firewall policy rules, but there are a few differences:
Regional enforcement: The regional network firewall policy rules are only applicable to the region where the regional network firewall policy is created.
Priority order: You must specify priorities while creating the regional network firewall policy rules. These priorities are unique and only significant within a regional network firewall policy.
Rule evaluation order is determined by the rule priority, from the lowest number to the highest number. The rule with the lowest numeric value assigned has the highest logical priority and is evaluated before rules with lower logical priorities. The priority of a rule decreases as its number increases (1, 2, 3, N+1). You cannot configure two or more rules with the same priority.
The priority for each rule must be set to a number from 0 to 2147483547 inclusive. The minimum numeric priority is 0. The priority values from 2147483548 (INT-MAX-99) to 2147483647 (INT-MAX) are reserved for system default firewall rules.
Evaluation order: Regional network firewall policies are always evaluated after global network firewall policies. By default, VPC firewall rules are evaluated before global and regional network firewall policies. You can also customize the rule evaluation order to enforce the global network firewall policies before or after the VPC firewall rules.
The regional network firewall policy rules also include source and target secure tags.
Predefined rules
When you create a regional network firewall policy, Cloud Next Generation Firewall adds predefined rules with the lowest priority to the policy. These rules are applied to any connections that don't match an explicitly defined rule in the policy, causing such connections to be passed down to lower-level policies or network rules.
To learn about the various types of predefined rules and their characteristics, see Predefined rules.
Identity and Access Management (IAM) roles
For details about IAM roles that govern the actions to create and manage regional network firewall policies, see Use regional network firewall policies.