Use Tags for firewalls

Create Tags before you try to bind them to resources or use them in network firewall policies. To control network access, Tags are only effective when bound to VM instances.

For an overview, see Tags for firewalls.

Grant permissions to Tags

The tagAdmin role lets you create new Tags or update and delete existing Tags. An organization administrator can grant this role at the organization level, and a project owner can grant it at the project level.

gcloud

Grant the tagAdmin role to the user.

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
   --member=user:EMAIL_ADDRESS \
   --role=roles/resourcemanager.tagAdmin

Replace the following:

ORGANIZATION_ID: your organization's ID
EMAIL_ADDRESS: the email address of the user

Grant the tagUser role to the user.

gcloud resource-manager tags keys add-iam-policy-binding ORGANIZATION_ID/TAG_KEY \
   --member=user:EMAIL_ADDRESS \
   --role=roles/resourcemanager.tagUser

Replace the following:

ORGANIZATION_ID: your organization's ID
TAG_KEY: the Tag key
EMAIL_ADDRESS: the email address of the user

Custom roles to manage Tags

The tagAdmin role lets you perform the following actions: create new Tags, update, and delete existing Tags. If you need a few of these capabilities, you can create a custom IAM role with the relevant permissions and then grant the new role to the target user. For the list of relevant permissions, see IAM permissions.

Tags used in firewall policies must be designated with a GCE_FIREWALL purpose. While the GCE_FIREWALL purpose is required for the Tag to be used in networking features, you can use the Tag for other actions.

Tags used in network firewall policies must have a scope limited to a single VPC.

Create the Tag keys and values

Before associating Tags to network firewall policies, you must create the Tag keys and values.

gcloud

After getting the required permissions, create the Tag key.
```
gcloud resource-manager tags keys create TAG_KEY \
   --parent organizations/ORGANIZATION_ID \
   --purpose GCE_FIREWALL \
   --purpose-data network=PROJECT_ID/NETWORK
```
Replace the following:
- TAG_KEY: the Tag key
- ORGANIZATION_ID: your organization's ID
- PROJECT_ID: your project's ID
- NETWORK: the name of your network
Add the relevant Tag values to the Tag keys. Run the command multiple times to add multiple values. Make sure that each Tag value added to the Tag key is unique.
```
gcloud resource-manager tags values create TAG_VALUE \
   --parent ORGANIZATION_ID/TAG_KEY
```
Replace the following:
- ORGANIZATION_ID: your organization's ID
- TAG_KEY: the Tag key
- TAG_VALUE: the value to assign to the Tag key

Create a network firewall policy

After creating a Tag, you can use it in network firewall policies. If you don't have an existing network firewall policy, create a new one.

gcloud

Create a network firewall policy.
```
gcloud compute network-firewall-policies create \
   FIREWALL_POLICY_NAME \
   --global
```
Replace the following:
- FIREWALL_POLICY_NAME: the name of the new network global network firewall policy

Create a firewall policy rule with Tags

After creating a Tag and a network firewall policy, you can create a network firewall policy rule with the specific source tag values and target tag values to allow the desired traffic between the VMs with the source tags and destination tags.

gcloud

Create a network firewall policy rule with the specific source and target keys and values.
```
gcloud compute network-firewall-policies rules create 1 \
    --firewall-policy FIREWALL_POLICY_NAME \
    --src-secure-tags ORGANIZATION_ID/TAG_KEY/TAG_VALUE \
    --target-secure-tags ORGANIZATION_ID/TAG_KEY/TAG_VALUE \
    --direction DIRECTION \
    --action ACTION \
    --layer4-configs tcp:PORT \
    --global-firewall-policy
```
Replace the following:
- FIREWALL_POLICY_NAME: the name of the new network global network firewall policy
- ORGANIZATION_ID: your organization's ID
- TAG_KEY: the Tag key
- TAG_VALUE: the value to assign to the Tag key
- DIRECTION: indicates whether the rule is an ingress or egress rule
- ACTION: one of the following actions:
  - allow: allows connections that match the rule
  - deny: denies connections that match the rule
  - goto_next: passes connection evaluation to the next level in the hierarchy, either a folder or the network
- PORT: the port number to access the resource

Bind Tags to VM instances

Tag administrators can bind the Tags to individual VM instances.

Binding a Tag to a resource attaches a Tag value to a resource. Although a Tag can have multiple values for a given key, you can bind only a single value per Tag key to a resource. For example, you cannot bind both web-backend and mysql Tag values to the same VM instance because they belong to the same tag-key vm-function.

For example, Sasha, a developer, wants to set up an application that consists of an API backend and a backing database store. To allow traffic between the backend and the database server, Sasha needs to bind the web-backend and mysql Tag values to different VMs.

gcloud

Grant the tagUser role.
```
gcloud resource-manager tags keys add-iam-policy-binding ORGANIZATION_ID/TAG_KEY \
   --member=user:EMAIL_ADDRESS \
   --role=roles/resourcemanager.tagUser
```
Replace the following:
- ORGANIZATION_ID: your organization's ID
- TAG_KEY: the Tag key
- EMAIL_ADDRESS: the email address of the user
In this command, the user is granted the use of all current and future values of the key. You can also selectively grant access to only specific values of a Tag, as follows:
```
gcloud resource-manager tags values add-iam-policy-binding ORGANIZATION_ID/TAG_KEY/TAG_VALUE \
   --member=user:EMAIL_ADDRESS \
   --role=roles/resourcemanager.tagUser
```
Replace the following:
- ORGANIZATION_ID: your organization's ID
- TAG_KEY: the Tag key
- TAG_VALUE: the value to assign to the Tag key
- EMAIL_ADDRESS: the email address of the user
Grant the tagUser role on the resources that you want to bind the Tags.
```
gcloud projects add-iam-policy-binding PROJECT_ID \
   --member=user:EMAIL_ADDRESS \
   --role=roles/resourcemanager.tagUser
```
Replace the following:
- PROJECT_ID: the project ID of your project
- EMAIL_ADDRESS: the email address of the user
Get the value of PARENT for the Tag key-value pair:
1. Define the full name prefix for your project and zone:
```
FULL_NAME_PREFIX=//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE/instances/
```
2. Get the VM ID:
```
VM_ID=$(gcloud compute instances describe VM_NAME --zone ZONE--format='value(id)')
```
3. Concatenate the values of FULL_NAME_PREFIX and VM_ID:
```
PARENT="$FULL_NAME_PREFIX$VM_ID"
echo $PARENT
```
Replace the following:
- PROJECT_NUMBER: the number of your project
- ZONE: the zone that the VM is located in
- VM_NAME: the name of the VM that you are working on
List the bindings.
```
gcloud resource-manager tags bindings list \
   --location LOCATION_NAME \
   --parent PARENT
```
Replace the following:
- LOCATION_NAME: the location to which the Tag belongs; here, the VM instance's zone
- PARENT: the full resource name attached to the binding, as derived in the preceding command

Delete and create the bindings.

gcloud resource-manager tags bindings delete \
   --location LOCATION_NAME \
   --tag-value ORGANIZATION_ID/TAG_KEY/TAG_VALUE \
   --parent PARENT

gcloud resource-manager tags bindings create \
   --location LOCATION_NAME \
   --tag-value ORGANIZATION_ID/TAG_KEY/TAG_VALUE \
   --parent PARENT

Replace the following:

LOCATION_NAME: the location to which the Tag belongs
ORGANIZATION_ID: your organization's ID
TAG_KEY: the Tag key
TAG_VALUE: the value of the Tag key
PARENT: the full resource name of the resource to attach to the Tag value

Use Tags across peered networks

You can use Tags in network peering. Perform the following tasks in the specified order to use Tags across two peered networks.

Assign the tagAdmin role to two users: one user in each peer network. An organization administrator grants the tagAdmin roles to users at the organization level, and a project owner can grant it at the project level.
Let the first network user create Tag keys and values in the first network.
Let the second network user create Tag keys and values in the second network.
Grant the required permissions to both users to bind Tags in both networks.
Bind Tags to users and resources in the first network.
Bind Tags to users and resources in the second network.
To the user from the second network, grant tagUser permissions in the first network.
To the user from the first network, grant tagUser permissions in the second network.
Create a firewall policy rule in the first network.
Create a firewall policy rule in the second network.

What's next

For more details about creating Tags, see Creating and managing tags.