Create Tags before you try to bind them to resources or use them in network firewall policies. To control network access, Tags are only effective when bound to VM instances.
For an overview, see Tags for firewalls.
Grant permissions to Tags
The tagAdmin
role lets you create new Tags or update and delete existing
Tags. An organization administrator can grant this role at the organization
level, and a project owner can grant it at the project level.
gcloud
Grant the
tagAdmin
role to the user.gcloud organizations add-iam-policy-binding ORGANIZATION_ID \ --member=user:EMAIL_ADDRESS \ --role=roles/resourcemanager.tagAdmin
Replace the following:
ORGANIZATION_ID
: your organization's IDEMAIL_ADDRESS
: the email address of the user
Grant the
tagUser
role to the user.gcloud resource-manager tags keys add-iam-policy-binding ORGANIZATION_ID/TAG_KEY \ --member=user:EMAIL_ADDRESS \ --role=roles/resourcemanager.tagUser
Replace the following:
ORGANIZATION_ID
: your organization's IDTAG_KEY
: the Tag keyEMAIL_ADDRESS
: the email address of the user
Custom roles to manage Tags
The tagAdmin
role lets you perform the following actions: create new Tags,
update, and delete existing Tags. If you need a few of these capabilities, you
can create a custom IAM role with the relevant permissions and then grant the
new role to the target user. For the list of relevant permissions, see IAM
permissions.
Tags used in firewall policies must be designated with a GCE_FIREWALL purpose. While the GCE_FIREWALL purpose is required for the Tag to be used in networking features, you can use the Tag for other actions.
Tags used in network firewall policies must have a scope limited to a single VPC.
Create the Tag keys and values
Before associating Tags to network firewall policies, you must create the Tag keys and values.
gcloud
After getting the required permissions, create the Tag key.
gcloud resource-manager tags keys create TAG_KEY \ --parent organizations/ORGANIZATION_ID \ --purpose GCE_FIREWALL \ --purpose-data network=PROJECT_ID/NETWORK
Replace the following:
TAG_KEY
: the Tag keyORGANIZATION_ID
: your organization's IDPROJECT_ID
: your project's IDNETWORK
: the name of your network
Add the relevant Tag values to the Tag keys. Run the command multiple times to add multiple values. Make sure that each Tag value added to the Tag key is unique.
gcloud resource-manager tags values create TAG_VALUE \ --parent ORGANIZATION_ID/TAG_KEY
Replace the following:
ORGANIZATION_ID
: your organization's IDTAG_KEY
: the Tag keyTAG_VALUE
: the value to assign to the Tag key
Create a network firewall policy
After creating a Tag, you can use it in network firewall policies. If you don't have an existing network firewall policy, create a new one.
gcloud
Create a network firewall policy.
gcloud compute network-firewall-policies create \ FIREWALL_POLICY_NAME \ --global
Replace the following:
FIREWALL_POLICY_NAME
: the name of the new network global network firewall policy
Create a firewall policy rule with Tags
After creating a Tag and a network firewall policy, you can create a network firewall policy rule with the specific source tag values and target tag values to allow the desired traffic between the VMs with the source tags and destination tags.
gcloud
Create a network firewall policy rule with the specific source and target keys and values.
gcloud compute network-firewall-policies rules create 1 \ --firewall-policy FIREWALL_POLICY_NAME \ --src-secure-tags ORGANIZATION_ID/TAG_KEY/TAG_VALUE \ --target-secure-tags ORGANIZATION_ID/TAG_KEY/TAG_VALUE \ --direction DIRECTION \ --action ACTION \ --layer4-configs tcp:PORT \ --global-firewall-policy
Replace the following:
FIREWALL_POLICY_NAME
: the name of the new network global network firewall policyORGANIZATION_ID
: your organization's IDTAG_KEY
: the Tag keyTAG_VALUE
: the value to assign to the Tag keyDIRECTION
: indicates whether the rule is aningress
oregress
ruleACTION
: one of the following actions:allow
: allows connections that match the ruledeny
: denies connections that match the rulegoto_next
: passes connection evaluation to the next level in the hierarchy, either a folder or the network
PORT
: the port number to access the resource
Bind Tags to VM instances
Tag administrators can bind the Tags to individual VM instances.
Binding a Tag to a resource attaches a Tag value to a resource. Although a Tag can have multiple values for a given key, you can bind only a single value per Tag key to a resource. For example, you cannot bind both web-backend and mysql Tag values to the same VM instance because they belong to the same tag-key vm-function.
For example, Sasha, a developer, wants to set up an application that consists of an API backend and a backing database store. To allow traffic between the backend and the database server, Sasha needs to bind the web-backend and mysql Tag values to different VMs.
gcloud
Grant the
tagUser
role.gcloud resource-manager tags keys add-iam-policy-binding ORGANIZATION_ID/TAG_KEY \ --member=user:EMAIL_ADDRESS \ --role=roles/resourcemanager.tagUser
Replace the following:
ORGANIZATION_ID
: your organization's IDTAG_KEY
: the Tag keyEMAIL_ADDRESS
: the email address of the user
In this command, the user is granted the use of all current and future values of the key. You can also selectively grant access to only specific values of a Tag, as follows:
gcloud resource-manager tags values add-iam-policy-binding ORGANIZATION_ID/TAG_KEY/TAG_VALUE \ --member=user:EMAIL_ADDRESS \ --role=roles/resourcemanager.tagUser
Replace the following:
ORGANIZATION_ID
: your organization's IDTAG_KEY
: the Tag keyTAG_VALUE
: the value to assign to the Tag keyEMAIL_ADDRESS
: the email address of the user
Grant the
tagUser
role on the resources that you want to bind the Tags.gcloud projects add-iam-policy-binding PROJECT_ID \ --member=user:EMAIL_ADDRESS \ --role=roles/resourcemanager.tagUser
Replace the following:
PROJECT_ID
: the project ID of your projectEMAIL_ADDRESS
: the email address of the user
Get the value of
PARENT
for the Tag key-value pair:Define the full name prefix for your project and zone:
FULL_NAME_PREFIX=//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE/instances/
Get the VM ID:
VM_ID=$(gcloud compute instances describe VM_NAME --zone ZONE--format='value(id)')
Concatenate the values of
FULL_NAME_PREFIX
andVM_ID
:PARENT="$FULL_NAME_PREFIX$VM_ID" echo $PARENT
Replace the following:
PROJECT_NUMBER
: the number of your projectZONE
: the zone that the VM is located inVM_NAME
: the name of the VM that you are working on
List the bindings.
gcloud resource-manager tags bindings list \ --location LOCATION_NAME \ --parent PARENT
Replace the following:
LOCATION_NAME
: the location to which the Tag belongs; here, the VM instance's zonePARENT
: the full resource name attached to the binding, as derived in the preceding command
Delete and create the bindings.
gcloud resource-manager tags bindings delete \ --location LOCATION_NAME \ --tag-value ORGANIZATION_ID/TAG_KEY/TAG_VALUE \ --parent PARENT gcloud resource-manager tags bindings create \ --location LOCATION_NAME \ --tag-value ORGANIZATION_ID/TAG_KEY/TAG_VALUE \ --parent PARENT
Replace the following:
LOCATION_NAME
: the location to which the Tag belongsORGANIZATION_ID
: your organization's IDTAG_KEY
: the Tag keyTAG_VALUE
: the value of the Tag keyPARENT
: the full resource name of the resource to attach to the Tag value
Use Tags across peered networks
You can use Tags in network peering. Perform the following tasks in the specified order to use Tags across two peered networks.
- Assign the
tagAdmin
role to two users: one user in each peer network. An organization administrator grants thetagAdmin
roles to users at the organization level, and a project owner can grant it at the project level. - Let the first network user create Tag keys and values in the first network.
- Let the second network user create Tag keys and values in the second network.
- Grant the required permissions to both users to bind Tags in both networks.
- Bind Tags to users and resources in the first network.
- Bind Tags to users and resources in the second network.
- To the user from the second network, grant
tagUser
permissions in the first network. - To the user from the first network, grant
tagUser
permissions in the second network. - Create a firewall policy rule in the first network.
- Create a firewall policy rule in the second network.
What's next
- For more details about creating Tags, see Creating and managing tags.