Tags let you define sources and targets in global network firewall policies and regional network firewall policies.
Tags are different from network tags. Network tags are simple strings, not keys and values, and don't offer any kind of access control. For more information about the differences between Tags and network tags and what products support each one, see Comparison of Tags and network tags.
Specifications
Tags have the following specifications:
- Parent resource: Tags are resources created within an
organization or
project resource. When
you create a Tag to use in a network firewall policy, you choose which
VPC network to associate the Tag with.
- The VPC networks must belong to a project within an organization. If you do not have an organization, see the organization onboarding guide.
- Structure and format: Tags are resources that contain two components: a
key and one or more values.
- You can create a maximum of 1000 Tag keys in an organization or project.
- Each Tag key can have a maximum of 1000 Tag values.
- Access control: IAM policies determine which IAM principals can create and use Tags. IAM principals with the Tag Administrator role can create Tag definitions. Along with other necessary IAM permissions, granting a principal the Tag User role lets that user use the Tag when they create VMs and apply network firewall policy rules that use the Tag. Granting the Tag User role lets you delegate the assignment of network firewall policies for VMs to application developers, database administrators, or operational teams. For more information about the required permissions, see IAM roles.
- Binding to VMs: Each Tag can be attached to an unlimited number of
VM instances. You can attach a maximum of 10 Tags per network interface (NIC)
of a VM. For example:
- If a VM has a single NIC, you can attach up to 10 Tags. Each Tag must be associated with the same VPC network used by the VM's single NIC.
- If a VM has two NICs, you can attach up to 10 Tags associated with the
VPC network used by
nic0and up to 10 Tags associated with the VPC network used bynic1.
- Firewall support: Only network firewall policies, including regional
firewall policies, support Tags. Neither hierarchical firewall policies
nor VPC firewall rules support Tags.
- VPC firewall rules support network tags. For details, see Comparison of Tags and network tags.
- VPC Network Peering support: Ingress rules in a network firewall
policy can identify sources in both the same VPC network and
peered VPC networks.
- Service providers who publish services using private services access can let their customers control which of their VM instances are allowed to access a service offered by the provider.
- Tags, targets, and sources: Tags use the VM's network interface as an
identity of the sender or recipient:
- For ingress and egress rules in network firewall policies, you can use
the
--target-secure-tagsparameter to specify the VM instances to which the rule applies. For ingress rules, the target defines the destination; for egress rules, the target defines the source. - For ingress rules in network firewall policies, you can use Tags to
specify sources with the
--src-secure-tagsparameter. - For more details, see Translating Tags to IP addresses.
- For ingress and egress rules in network firewall policies, you can use
the
Example
To represent the different functions of VM instances in a network, a Tag administrator can create a Tag with a vm-function key and a list of possible values like database, app-client, and app-server. The Tag administrator can choose any name for either the Tag key and its values.
For more details about creating and using Tags, see Creating and managing tags.
Comparison of Tags and network tags
The following table summarizes the differences between Tags and network tags.
| Attribute | Tags | Network tags |
|---|---|---|
| Parent resource | Organization or project | Project |
| Structure and format | Key with up to 1000 values | Simple string |
| Access control | Using IAM | No access controls |
| Instance binding | Per network interface (single VPC network) | All network interfaces |
| Supported by hierarchical firewall policies | ||
| Supported by network firewall policies | ||
| Supported by VPC firewall rules | ||
| VPC Network Peering |
|
|
Translating secure Tags to IP addresses
For secure tags in target parameters:
For ingress rules, see Targets and IP addresses for ingress rules.
For egress rules, see Targets and IP addresses for egress rules.
For Tags in source parameters of ingress rules, see How source secure tags imply packet sources.
IAM roles
To create and manage Tag keys and Tag values, you need the Tag Administrator role or a custom role with equivalent permissions. For more information, see Administer tags.
To manage Tags on a VM, you need both of the following:
- Permissions to use the specific Tag
- Permissions to manage the Tag on a specific VM
| Task | Permission | Role |
|---|---|---|
| Use a Tag | The following permissions for the specific Tag:
|
Grant the Tag User role on the specific Tag. |
| Manage a Tag on a VM | The following permissions for the specific VM:
|
Grant one of the following roles on the specific VM. Many roles include the required permissions, including the following:
|
For more information about permissions for Tags, see Manage Tags on resources. For more information about which roles include specific IAM permissions, see IAM permissions reference.
What's next
- To grant permissions to Tags and create Tag keys and values, see Use Tags for firewalls.