Tags for firewalls

Tags let you define sources and targets in global network firewall policies and regional network firewall policies.

Tags are different from network tags. Network tags are simple strings, not keys and values, and don't offer any kind of access control. For more information about the differences between Tags and network tags and what products support each one, see Comparison of Tags and network tags.

Specifications

Tags have the following specifications:

  • Parent resource: Tags are resources created within an organization or project resource. When you create a Tag to use in a network firewall policy, you choose which Virtual Private Cloud (VPC) network to associate the Tag with.
  • Structure and format: Tags are resources that contain two components: a key and one or more values.
    • You can create a maximum of 1,000 Tag keys in an organization or a project.
    • Each Tag key can have a maximum of 1,000 Tag values.
  • Access control: Identity and Access Management (IAM) policies determine which IAM principals can create and use Tags. IAM principals with the Tag Administrator role can create Tag definitions. Along with other necessary IAM permissions, granting a principal the Tag User role lets that user use the Tag when they create VMs and apply network firewall policy rules that use the Tag. Granting the Tag User role lets you delegate the assignment of network firewall policies for VMs to application developers, database administrators, or operational teams. For more information about the required permissions, see IAM roles.
  • Binding to VMs: Each Tag can be attached to an unlimited number of VM instances. You can attach a maximum of 10 Tags per network interface (NIC) of a VM. For example:
    • If a VM has a single NIC, you can attach up to 10 Tags. Each Tag must be associated with the same VPC network used by the VM's single NIC.
    • If a VM has two NICs, you can attach up to 10 Tags associated with the VPC network used by nic0 and up to 10 Tags associated with the VPC network used by nic1.
  • Firewall support: Only network firewall policies, including regional firewall policies, support Tags. Neither hierarchical firewall policies nor VPC firewall rules support Tags.
  • VPC Network Peering support: Ingress rules in a network firewall policy can identify sources in both the same VPC network and peered VPC networks.
    • Service providers who publish services using private services access can let their customers control which of their VM instances are allowed to access a service offered by the provider.
  • Tags, targets, and sources: Tags use the VM's network interface as an identity of the sender or recipient:
    • For ingress and egress rules in network firewall policies, you can use the --target-secure-tags parameter to specify the VM instances to which the rule applies. For ingress rules, the target defines the destination; for egress rules, the target defines the source. For more information, see Targets.
    • For ingress rules in network firewall policies, you can use Tags to specify sources with the --src-secure-tags parameter. To learn more about Tags in source parameters of ingress rules, see How source secure tags imply packet sources.

Example

To represent the different functions of VM instances in a network, a Tag administrator can create a Tag with a vm-function key and a list of possible values like database, app-client, and app-server. The Tag administrator can choose any name for either the Tag key and its values.

For more details about creating and using Tags, see Creating and managing tags.

Comparison of Tags and network tags

The following table summarizes the differences between Tags and network tags.

Attribute Tags Network tags
Parent resource Organization or project Project
Structure and format Key with up to 1,000 values Simple string
Access control Using IAM No access controls
Instance binding Per network interface (single VPC network) All network interfaces
Supported by hierarchical firewall policies
Supported by network firewall policies
Supported by VPC firewall rules
VPC Network Peering
  • When used to specify a source for an ingress rule in a network firewall policy, a Tag can identify sources in both the VPC network to which the Tag is scoped and any peer VPC networks connected to the VPC network to which the Tag is scoped.
  • When used to specify a target for an ingress or egress rule in a network firewall policy, a Tag can only identify targets in the VPC network to which the Tag is scoped.
  • When used to specify a source for an ingress VPC firewall rule, a network tag only identifies sources within the VPC network specified in the VPC firewall rule.
  • When used to specify a target for an ingress or egress VPC firewall rule, a network tag only identifies targets within the VPC network specified in the VPC firewall rule.

IAM roles

To create and manage Tag keys and Tag values, you need the Tag Administrator role or a custom role with equivalent permissions. For more information, see Administer tags.

To manage Tags on a VM, you need both of the following:

  • Permissions to use the specific Tag
  • Permissions to manage the Tag on a specific VM
Task Permission Role
Use a Tag The following permissions for the specific Tag:
  • resourcemanager.tagValueBindings.create
  • resourcemanager.tagValueBindings.delete
Grant the Tag User role on the specific Tag.
Manage a Tag on a VM The following permissions for the specific VM:
  • compute.instances.createTagBinding
  • compute.instances.deleteTagBinding
Grant one of the following roles on the specific VM.

Many roles include the required permissions, including the following:

  • Tag User
  • Compute Instance Admin (v1)
  • Compute Admin

For more information about permissions for Tags, see Manage Tags on resources. For more information about which roles include specific IAM permissions, see IAM permissions reference.

What's next