Stay organized with collections Save and categorize content based on your preferences.

Resource Manager tags for firewalls

Resource Manager tags let you define sources and targets in network firewall policies and regional firewall policies.

Resource Manager tags (referred to as tags) are different from network tags. Network tags are simple strings, not keys and values, and don't offer any kind of access control. For more information about the differences between tags and network tags, and what products support each one, see Comparison of Resource Manager tags and network tags.

Specifications

Resource Manager tags have the following specifications:

  • Parent resource: Tags are resources created within an organization. When you create a tag to use in a network firewall policy, you choose which VPC network to associate the tag with.
  • Structure and format: Tags are resources that contain two components: a key and one or more values.
    • You can create a maximum of 1000 tag keys in an organization.
    • Each tag key can have a maximum of 1000 tag values.
  • Access control: IAM policies determine which IAM principals can create and use tags. IAM principals with the Tag Administrator role can create tag definitions. Along with other necessary IAM permissions, granting a principal the Tag User role lets that user use the tag when they create VMs and apply network firewall policy rules that use the tag. Granting the Tag User role lets you delegate the assignment of network firewall policies for VMs to application developers, database administrators, or operational teams. For more information about the required permissions, see IAM roles.
  • Binding to VMs: Each tag can be attached to an unlimited number of VM instances. You can attach a maximum of 10 tags per network interface (NIC) of a VM. For example:
    • If a VM has a single NIC, you can attach up to 10 tags. Each tag must be associated with the same VPC network used by the VM's single NIC.
    • If a VM has two NICs, you can attach up to 10 tags associated with the VPC network used by nic0 and up to 10 tags associated with the VPC network used by nic1.
  • Firewall support: Only network firewall policies, including regional firewall policies, support tags. Neither hierarchical firewall policies nor VPC firewall rules support tags.
  • VPC Network Peering support: Network firewall policy rules that apply to a VPC network also apply to a VPC network that is connected by using VPC Network Peering.
    • Service providers who publish services using private services access can let their customers control which of their VM instances are allowed to access a service offered by the provider.
  • Tags, targets, and sources: Tags use the VM's network interface as an identity of the sender or recipient:

Example

To represent the different functions of VM instances in a network, a tag administrator can create a tag with a vm-function key and a list of possible values like database, app-client, and app-server. The tag administrator can choose any name for either the tag key and its values.

For more details about creating and using tags, see Creating and managing tags.

Comparison of Resource Manager tags and network tags

The following table summarizes the differences between Resource Manager tags and network tags.

Attribute Resource Manager tags Network tags
Parent resource Organization Project
Structure and format Key with up to 1000 values Simple string
Access control Using IAM No access controls
Instance binding Per network interface (single VPC network) All network interfaces
Supported by hierarchical firewall policies
Supported by network firewall policies
Supported by VPC firewall rules
VPC Network Peering
  • When used to specify a source for an ingress rule in a network firewall policy, a Resource Manager tag can identify sources in both the VPC network to which the tag is scoped and any peer VPC networks connected to the VPC network to which the tag is scoped.
  • When used to specify a target for an ingress or egress rule in a network firewall policy, a Resource Manager tag can only identify targets in the VPC network to which the tag is scoped.
  • When used to specify a source for an ingress VPC firewall rule, a network tag only identifies sources within the VPC network specified in the VPC firewall rule.
  • When used to specify a target for an ingress or egress VPC firewall rule, a network tag only identifies targets within the VPC network specified in the VPC firewall rule.

Translating tags to IP addresses

The following table describes how network firewall policies with rules that use Resource Manager tags and VPC firewall rules that use network tags translate the tags to IP addresses for ingress and egress rules.

Firewall configuration IP address translation
Network firewall policy with ingress rule that uses target tags (--target-secure-tags)
or
VPC ingress firewall rule that uses target tags (--target-tags)
The ingress rule's target defines the destination for packets arriving on the VM to which the firewall rule applies. The packet destinations must match one of the following IP addresses:
  • The primary internal IPv4 address assigned to the instance's NIC
  • Any configured alias IP ranges on the instance's NIC
  • If defined, the external IPv4 address that's associated with the instance's NIC
  • If IPv6 is configured on the subnet, any of the IPv6 addresses assigned to the NIC
  • An internal or external IP address associated with a forwarding rule used for pass-through load balancing, where the instance is a backend for an internal TCP/UDP load balancer or a network load balancer
  • An internal or external IP address associated with a forwarding rule used for protocol forwarding, where the instance is referenced by a target instance
  • An IP address within the destination range of a custom static route that uses the instance as a next hop VM (next-hop-instance or next-hop-address)
  • An IP address within the destination range of a custom static route that uses an internal TCP/UDP load balancer (next-hop-ilb) next hop, if the VM is a backend for that load balancer
Network firewall policy with egress rule that uses target tags (--target-secure-tags)
or
VPC firewall egress rule that uses target tags (--target-tags)
The egress rule's target defines the source for packets leaving the VM to which the firewall rule applies. Allowed sources depend on whether IP forwarding is enabled or disabled.
  • By default, IP forwarding is disabled. An egress firewall rule takes effect on packets whose sources match any of the following:
    • The primary internal IPv4 address of an instance's NIC
    • Any configured alias IP range on an instance's NIC
    • If IPv6 is configured on the subnet, any of the IPv6 addresses assigned to the NIC
    • An internal or external IP address associated with a forwarding rule, for pass-through load balancing or protocol forwarding, if the instance is a backend for an internal TCP/UDP load balancer, a network load balancer, or is referenced by a target instance.
  • When IP forwarding is enabled, the VM is permitted to send packets with any source.
Network firewall policy with ingress rule that uses source tags (--source-secure-tags) Source IP addresses for packets arriving on the network interface of a target VM can come from any IP address used by the sending VM.
  • If the sending VM has IP forwarding disabled, source IP addresses for packets arriving on the network interface of a target VM are limited to the following:
    • The primary internal IPv4 address of the sending VM's NIC
    • Any IP address from an alias IP range on a sending VM's NIC
    • If IPv6 is configured on the subnet, any of the IPv6 addresses assigned to the sending VM's NIC
    • An internal or external IP address associated with a forwarding rule, for pass-through load balancing or protocol forwarding, if the sending VM is a backend for an internal TCP/UDP load balancer, a network load balancer, or is referenced by a target instance
  • When IP forwarding is enabled on the sending VM, source IP addresses for packets arriving on the network interface of a target VM can be any IP address.
VPC ingress firewall rule that uses source tags (--source-tags) Source IP addresses for packets arriving on the network interface of a target VM must match either:
  • The primary internal IPv4 address of the sending VM's NIC in the VPC network
  • Any IPv6 addresses assigned to the sending VM's NIC in the VPC network

IAM roles

To create and manage tag keys and tag values, you need the Tag Administrator role or a custom role with equivalent permissions. For more information, see Administer tags.

To manage tags on a VM, you need both of the following:

  • Permissions to use the specific tag
  • Permissions to manage the tag on a specific VM
Task Permission Role
Use a tag The following permissions for the specific tag:
  • resourcemanager.tagValueBindings.create
  • resourcemanager.tagValueBindings.delete
Grant the Tag User role on the specific tag.
Manage a tag on a VM The following permissions for the specific VM:
  • compute.instances.createTagBinding
  • compute.instances.deleteTagBinding
Grant one of the following roles on the specific VM.

Many roles include the required permissions, including the following:

  • Tag User
  • Compute Instance Admin (v1)
  • Compute Admin

For more information about permissions for tags, see Manage tags on resources. For more information about which roles include specific IAM permissions, see IAM permissions reference.