Use regional network firewall policies and rules

This page assumes that you are familiar with the concepts described in the Regional network firewall policies overview.

Firewall policy tasks

Create a regional network firewall policy

You can create a policy for any VPC network within your project. After you create a policy, you can associate it with any VPC network within your project. After it's associated, the policy's rules become active for VMs under the associated network.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.regionFirewallPolicies.create

Roles

compute.securityAdmin on the project where you want to create the policy

Console

In the Google Cloud console, go to the Firewall page.

Go to the Firewall page
In the project selector pull-down menu, select your project within your organization.
Click Create network firewall policy.
Give the policy a Name.
Under Deployment scope, select Regional.
If you want to create rules for your policy, click Continue, and then click Add rule.

For details, see Creating firewall rules.
If you want to associate the policy with a network, click Continue, and then click Associate.

For details, see Associating a policy with a VPC network.
Click Create.

gcloud

gcloud compute network-firewall-policies create \
    NETWORK_FIREWALL_POLICY_NAME
    --description DESCRIPTION \
    --region=REGION_NAME

Replace the following:

NETWORK_FIREWALL_POLICY_NAME: a name for the policy.
DESCRIPTION: a description for the policy.
REGION_NAME: a region you want to apply to the policy.

Associate a policy with the network

Associate a policy with a network to activate the policy rules for any VMs within that network.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.regionFirewallPolicies.use on the firewall policy

Roles

compute.securityAdmin

Console

In the Google Cloud console, go to the Firewall page.

Go to the Firewall page
In the project selector pull-down menu, select your project that contains your policy.
Click your policy.
Click the Associated with tab.
Click Associate.
Select the networks within the project.
Click Associate.

gcloud

gcloud compute network-firewall-policies associations create \
    --firewall-policy POLICY_NAME \
    --network NETWORK_NAME \
    --name ASSOCIATION_NAME  \
    --firewall-policy-region=REGION_NAME
    [ --replace-association-on-target true ]

Replace the following:

POLICY_NAME: either the short name or the system-generated name of the policy
NETWORK_NAME: the name of your network
ASSOCIATION_NAME: an optional name for the association; if unspecified, the name is set to "organization ORG_ID" or "folder FOLDER_ID"
REGION_NAME: a region to apply the policy

Describe a regional network firewall policy

You can see all the details of a policy, including all its firewall rules. In addition, you can see many attributes that are in all the rules in the policy. These attributes count toward a per-policy limit.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.regionFirewallPolicies.get

Roles

compute.networkAdmin

compute.securityAdmin on the project

Console

In the Google Cloud console, go to the Firewall page.

Go to the Firewall page
In the project selector pull-down menu, select your project that contains the network firewall policy.
Click your policy.

gcloud

gcloud compute firewall-policies describe POLICY_NAME \
    --region=REGION_NAME

Update a regional network firewall policy description

The only policy field that can be updated is the Description field.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.regionFirewallPolicies.update

Roles

compute.networkAdmin or
compute.securityAdmin on the project where the policy lives or on the policy itself

Console

In the Google Cloud console, go to the Firewall page.

Go to the Firewall page
In the project selector pull-down menu, select your organization ID or the folder that contains the policy.
Click Edit.
Modify the Description.
Click Save.

gcloud

gcloud compute network-firewall-policies update POLICY_NAME \
    --description DESCRIPTION \
    --region=REGION_NAME

List regional network firewall policies

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.regionFirewallPolicies.list

Roles

compute.securityAdmin

compute.networkAdmin

Console

In the Google Cloud console, go to the Firewall page.

Go to the Firewall page
In the project selector pull-down menu, select your project that contains the policy.

The Network firewall policies section shows the policies available in your project.

gcloud

gcloud compute network-firewall-policies list
       --regions=LIST_OF_REGIONS

Delete a regional network firewall policy

You must delete all associations on a network firewall policy before you can delete it.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.regionFirewallPolicies.delete

Roles

compute.securityAdmin

Console

In the Google Cloud console, go to the Firewall page.

Go to the Firewall page
In the project selector pull-down menu, select your project that contains the policy.
Click the policy that you want to delete.
Click the Associated with tab.
Select all associations.
Click Remove.
After all associations are removed, click Delete.

gcloud

List all networks associated with a firewall policy:

gcloud compute network-firewall-policies describe POLICY_NAME \
    --region=REGION_NAME

Delete individual associations. To remove the association, you must have the compute.SecurityAdmin role on the associated VPC network.

gcloud compute network-firewall-policies associations delete \
    --network-firewall-policy POLICY_NAME \
    --firewall-policy-region=REGION_NAME

Delete the policy:

gcloud compute network-firewall-policies delete POLICY_NAME
--region=REGION_NAME

Delete an association

To stop enforcement of a firewall policy on a network, delete the association.

However, if you intend to swap out one firewall policy for another, it is not necessary to delete the existing association first. Doing so would leave a period of time where neither policy is enforced. Instead, replace the existing policy when you associate a new policy.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.regionFirewallPolicies.use

Roles

compute.securityAdmin

Console

In the Google Cloud console, go to the Firewall page.

Go to the Firewall page
In the project selector pull-down menu, select your project or the folder that contains the policy.
Click your policy.
Click the Associations tab.
Select the association that you want to delete.
Click Remove.

gcloud

gcloud compute network-firewall-policies associations delete ASSOCIATION_NAME \
    --firewall-policy POLICY_NAME \
    --firewall-policy-region REGION_NAME

Firewall policy rule tasks

Create network firewall rules

Network firewall policy rules must be created in a regional network firewall policy. The rules are not active until you associate the containing policy to a VPC network.

Each network firewall policy rule can include either IPv4 or IPv6 ranges, but not both.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.regionFirewallPolicies.update

Roles

compute.securityAdmin on the network containing the policy or on the policy itself

Console

In the Google Cloud console, go to the Firewall page.

Go to Firewall
In the project selector pull-down menu, select your project that contains your policy.
Click the name of your policy.
Under Deployment scope, select Regional.
Click Add rule.
Populate the rule fields:
1. Priority: the numeric evaluation order of the rule. The rules are evaluated from highest to lowest priority where 0 is the highest priority. Priorities must be unique for each rule. A good practice is to give rules priority numbers that allow later insertion (such as 100, 200, 300).
2. Set Logs collection to On or Off.
3. For the Direction of traffic, choose ingress or egress.
4. Under Action on match, specify whether connections that match the rule are allowed (Allow), denied (Deny), or whether the evaluation of the connection is passed to the next lower firewall rule in the hierarchy (Go to next).
5. For the Direction of traffic, choose ingress or egress.
6. Specify the Targets of the rule.
  - If you want the rule to apply to all instances in the network, choose All instances in the network.
  - If you want the rule to apply to select instances by secure tags, choose Secure tags. Click Add tags, and then type the tag values to which the rule should apply into the Tag values field.
  - If you want the rule to apply to select instances by an associated service account, choose Service account, indicate whether the service account is in the current project or another one under Service account scope, and choose or type the service account name in the Target service account field.
7. For an ingress rule, specify the Source filter:
  - Choose IP ranges, and then type the CIDR blocks into the Source IP ranges field to define the source for incoming traffic by IP address ranges. Use 0.0.0.0/0 for a source from any network.
  - To limit sources by network tag, choose Source tags, and then type the network tags into the Source tags field. For the limit on the number of source tags, see Per network limits. Filtering by source tag is only available if the target is not specified by a service account. For more information, see filtering by service account versus network tag.
  - To limit sources by service account, choose Service account, indicate whether the service account is in the current project or another one under Service account scope, and then choose or type the service account name in the Source service account field. Filtering by source service account is only available if the target is not specified by a network tag. For more information, see filtering by service account versus network tag.
  - Specify a Second source filter if desired. Secondary source filters cannot use the same filter criteria as the primary one. Source IP ranges can be used together with Source tags or Source service account. The effective source set is the union of the source range IP addresses and the instances identified by network tags or service accounts. That is, if either the source IP range or the source tags (or source service accounts) match the filter criteria, the source is included in the effective source set.
  - Source tags and Source service account can't be used together.
8. For an egress rule, specify the Destination filter:
  - Choose IP ranges, and then type the CIDR blocks into the Destination IP ranges field to define the destination for outgoing traffic by IP address ranges. Use 0.0.0.0/0 to mean everywhere.
9. Optional: If you are creating an Ingress rule, specify the source FQDNs that this rule applies to. If you are creating an Egress rule, select the destination FQDNs that this rule applies to. For more information about domain name objects, see Domain name objects.
10. Optional: If you are creating an Ingress rule, select the source Geolocations that this rule applies to. If you are creating an Egress rule, select the destination Geolocations that this rule applies to. For more information about geo-location objects, see Geo-location objects.
11. Optional: If you are creating an Ingress rule, select the source Network Threat Intelligence lists that this rule applies to. If you are creating an Egress rule, select the destination Network Threat Intelligence lists that this rule applies to. For more information about Threat Intelligence, see Threat Intelligence for firewall policy rules.
12. Under Protocols and ports, either specify that the rule applies to all protocols and all destination ports or specify to which protocols and destination ports it applies.
13. Click Create.
Click Add rule to add another rule. Click Continue > Associate to associate the policy with a network, or click Create to create the policy.

gcloud

gcloud compute network-firewall-policies rules create PRIORITY \
    --action ACTION \
    --firewall-policy POLICY_NAME \
    [--description DESCRIPTION ]\
    [--layer4-configs PROTOCOL_PORT] \
    [--target-secure-tags TARGET_SECURE_TAG[,TARGET_SECURE_TAG,...]] \
    [--target-service-accounts=SERVICE_ACCOUNT[,SERVICE_ACCOUNT,...]] \
    [--direction DIRECTION]\
    [--src-ip-ranges IP_RANGES] \
    [--src-secure-tags SRC_SECURE_TAG[,SRC_SECURE_TAG,...]] \
    [--dest-ip-ranges IP_RANGES] \
    [--src-region-codes COUNTRY_CODE,[COUNTRY_CODE,...]] \
    [--dest-region-codes COUNTRY_CODE,[COUNTRY_CODE,...]] \
    [--src-threat-intelligence LIST_NAMES[,LIST_NAME,...]] \
    [--dest-threat-intelligence LIST_NAMES[,LIST_NAME,...]] \
    [--src-address-groups ADDR_GRP_URL[,ADDR_GRP_URL,...]] \
    [--dest-address-groups ADDR_GRP_URL[,ADDR_GRP_URLL,...]] \
    [--dest-fqdns DOMAIN_NAME[,DOMAIN_NAME,...]]
    [--src-fqdns DOMAIN_NAME[,DOMAIN_NAME,...]]
    [--enable-logging | --no-enable-logging]\
    [--disabled | --no-disabled]\
    --firewall-policy-region=REGION_NAME

Replace the following:

PRIORITY: the numeric evaluation order of the rule

The rules are evaluated from highest to lowest priority, where 0 is the highest priority. Priorities must be unique for each rule. A good practice is to give rules priority numbers that allow later insertion (such as 100, 200, 300).
ACTION: one of the following actions:
- allow: allows connections that match the rule
- deny: denies connections that match the rule
- goto_next: passes connection evaluation to the next level in the hierarchy, either a folder or the network
POLICY_NAME: the name of the network firewall policy
PROTOCOL_PORT: a comma-separated list of protocol names or numbers (tcp,17), protocols and destination ports (tcp:80), or protocols and destination port ranges (tcp:5000-6000)

You cannot specify a port or port range without a protocol. For ICMP, you cannot specify a port or port range—for example:
--layer4-configs tcp:80,tcp:443,udp:4000-5000,icmp

For more information, see protocols and ports.
TARGET_SECURE_TAG: a comma-separated list of secure tags to define targets
SERVICE_ACCOUNT: a comma-separated list of service accounts to define targets
DIRECTION: indicates whether the rule is an ingress or egressrule; the default is ingress
- Include --src-ip-ranges to specify IP ranges for the source of traffic
- Include --dest-ip-ranges to specify IP ranges for the destination of traffic
For more information, see targets, source, and destination.
IP_RANGES: a comma-separated list of CIDR-formatted IP ranges, either all IPv4 ranges or all IPv6 ranges—examples:
--src-ip-ranges=10.100.0.1/32,10.200.0.0/24
--src-ip-ranges=2001:0db8:1562::/96,2001:0db8:1723::/96
SRC_SECURE_TAG: a comma-separated list of Tags
COUNTRY_CODE: a comma-separated list of two-letter country codes
- For the ingress direction, specify the source country codes in the --src-region-code parameter; you cannot use the --src-region-code parameter for the egress direction
- For the egress direction, specify the destination country codes in the --dest-region-code parameter; you cannot use the --dest-region-code parameter for the ingress direction
LIST_NAMES: a comma-separated names of Threat Intelligence lists
- For the ingress direction, specify the source Threat Intelligence lists in the --src-threat-intelligence parameter; you cannot use the --src-threat-intelligence parameter for the egress direction
- For the egress direction, specify the destination Threat Intelligence lists in the --dest-threat-intelligence parameter; you cannot use the --dest-threat-intelligence parameter for the ingress direction
ADDR_GRP_URL: a unique URL identifier for the address group
- For the ingress direction, specify the source address groups in the --src-address-groups parameter; you cannot use the --src-address-groups parameter for the egress direction
- For the egress direction, specify the destination address groups in the --dest-address-groups parameter; you cannot use the --dest-address-groups parameter for the ingress direction
DOMAIN_NAME: a comma-separated list of domain names in the format described in Domain name format
- For the ingress direction, specify the source domain names in the --src-fqdns parameter; you cannot use the --src-fqdns parameter for the egress direction
- For the egress direction, specify the destination address groups in the --dest-fqdns parameter; you cannot use the --dest-fqdns parameter for the ingress direction
--enable-logging and --no-enable-logging: enables or disables Firewall Rules Logging for the given rule
--disabled: indicates that the firewall rule, although it exists, is not to be considered when processing connections; omitting this flag enables the rule, or you can specify --no-disabled
REGION_NAME: a region to apply the policy

Update a rule

For field descriptions, see Creating firewall rules.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.regionFirewallPolicies.update

Roles

compute.securityAdmin

Console

In the Google Cloud console, go to the Firewall page.

Go to the Firewall page
In the project selector pull-down menu, select your project that contains the policy.
Click your policy.
Click the priority of the rule.
Click Edit.
Modify the fields that you want to change.
Click Save.

gcloud

gcloud compute network-firewall-policies rules update RULE_NAME \
    --firewall-policy POLICY_NAME \
    --firewall-policy-region=REGION_NAME \
    [...fields you want to modify...]

Describe a rule

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.regionFirewallPolicies.update

Roles

compute.securityAdmin

compute.networkAdmin

Console

In the Google Cloud console, go to the Firewall page.

Go to the Firewall page
In the project selector pull-down menu, select your project that contains the policy.
Click your policy.
Click the priority of the rule.

gcloud

gcloud compute network-firewall-policies rules describe PRIORITY \
    --firewall-policy POLICY_NAME \
    --firewall-policy-region=REGION_NAME

Replace the following:

PRIORITY: the priority of the rule that you want to view; because each rule must have a unique priority, this setting uniquely identifies a rule
POLICY_NAME: the name of the policy that contains the rule
REGION_NAME: a region to apply the policy.

Delete a rule from a policy

Deleting a rule from a policy removes the rule from all VMs that are inheriting the rule.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.regionFirewallPolicies.update

Roles

compute.securityAdmin on the project hosting the policy or on the policy itself

Console

In the Google Cloud console, go to the Firewall page.

Go to the Firewall page
In the project selector pull-down menu, select your project that contains the policy.
Click your policy.
Select the rule that you want to delete.
Click Delete.

gcloud

gcloud compute network-firewall-policies rules delete PRIORITY \
    --firewall-policy POLICY_NAME \
    --firewall-policy-region=REGION_NAME

Replace the following:

PRIORITY: the priority of the rule that you want to delete from the policy
POLICY_NAME: the policy containing the rule
REGION_NAME: a region to apply the policy

Clone rules from one policy to another

Remove all rules from the target policy and replace them with the rules in the source policy.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.regionFirewallPolicies.cloneRules

Roles

compute.securityAdmin on the project or on the policies themselves

Console

In the Google Cloud console, go to the Firewall page.

Go to the Firewall page
In the project selector pull-down menu, select your project that contains the policy.
Click the policy that you want to copy rules from.
Click Clone at the top of the screen.
Provide the name of a target policy.
Click Continue > Associate if you want to associate the new policy immediately.
Click Clone.

gcloud

gcloud compute network-firewall-policies clone-rules POLICY_NAME \
    --source-firewall-policy SOURCE_POLICY \
    --region=REGION_NAME

Replace the following:

POLICY_NAME: the policy to receive the copied rules
SOURCE_POLICY: the policy to copy the rules from; must be the URL of the resource
REGION_NAME: a region to apply the policy

Get effective regional network firewall policies

You can view all hierarchical firewall policy rules, VPC firewall rules, and the network firewall policy applied to a specified region.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.networks.getEffectiveFirewalls on the network

Roles

compute.securityAdmin
compute.viewer
compute.networkUser
compute.networkViewer

gcloud

gcloud compute network-firewall-policies get-effective-firewalls \
        --region=REGION_NAME \
        --network=NETWORK_NAME

Replace the following:

REGION_NAME: the region for which you want to view the effective rules.
NETWORK_NAME: the network for which you want to view the effective rules.