Stay organized with collectionsSave and categorize content based on your preferences.
Cloud Next Generation Firewall regional network firewall policies
can be used by Virtual Private Cloud (VPC) networks that have an associated
Remote Direct Memory Access (RDMA) over converged ethernet (RoCE) network
profile.RoCE VPC networksare those that are
created with anRDMA RoCE network profile.
RoCE VPC networks enable zonal workloads for
high performance computing, including AI workloads in Google Cloud.
This page describes key differences in Cloud NGFW support
for RoCE VPC networks.
Specifications
The following firewall specifications apply to RoCE VPC
networks:
Supported firewall rules and policies: RoCE VPC networksonlysupport firewall rules in regional network firewall policies. They
don't support global network firewall policies, hierarchical firewall
policies, or VPC firewall rules.
Region and policy type: to use a regional network firewall policy
with an RoCE VPC network, you must create the policy
with the following attributes:
The region of the firewall policy must contain the zone used by the RoCE
network profile of the RoCE VPC network.
You must set the firewall policy type of the firewall policy toRDMA_ROCE_POLICY.
Consequently, a regional network firewall policy canonlybe used by RoCE
VPC networks in a particular region. A regional network firewall
policy can't be used by both RoCE VPC networks and regular
VPC networks.
RoCE firewall policy is stateless: RoCE firewall policy processes each
packet as an independent unit and doesn't keep track of ongoing connections.
Therefore, to ensure two virtual machines (VMs) can communicate, you must
create an allow ingress rule in both directions.
Implied firewall rules
RoCE VPC networks use the following implied firewall rules, which
are different from the implied firewall rules used by regular VPC
networks:
Implied allow egress
Implied allow ingress
An RoCE VPC network without any rules in an associated
regional network firewall policy allows all egress and ingress traffic.
These implied firewall rules don't supportFirewall Rules Logging.
Rule specifications
Rules in a regional network firewall policy with the policy typeRDMA_ROCE_POLICYmust meet the following requirements:
Ingress direction only: the rule's direction must be ingress.
You can't create egress firewall rules in a regional network firewall
policy whose policy type isRDMA_ROCE_POLICY.
Target parameter: target secure tags are supported, but target
service accounts are not.
Source IP address ranges (src-ip-ranges) are supported, but the only
valid value is0.0.0.0/0.
Source secure tags (src-secure-tags) are fully supported. Using secure
tags is the suggested way to segment workloads that are in the same RoCE
VPC network.
Source secure tags and source IP address ranges are mutually exclusive.
For example, if you create a rule withsrc-ip-ranges=0.0.0.0/0, then you
can't use source secure tags (src-secure-tags). Other source parameters that
are part ofCloud NGFW Standard—source
address groups, source domain names, source geolocations, source Google Threat Intelligence
lists—aren't supported.
Action parameter: both allow and deny actions are supported, with the
following constraints:
An ingress rule withsrc-ip-ranges=0.0.0.0/0can use either theALLOWorDENYaction.
An ingress rule with a source secure tag can only use theALLOWaction.
Protocol and port parameters: the only supported protocol isall(--layer4-configs=all). Rules that apply to specific protocols or ports
aren't allowed.
Logs for ingress allow firewall rules are published once per tunnel
establishment and provide 2-tuple packet information.
Logs for ingress deny firewall rules are published as sampled packets and
provide 5-tuple packet information. Logs are published at a maximum rate
of once every 5 seconds, and all firewall logs are limited to 4,000 packets
per 5 seconds.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["| **Preview**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nCloud Next Generation Firewall regional network firewall policies\ncan be used by Virtual Private Cloud (VPC) networks that have an associated\nRemote Direct Memory Access (RDMA) over converged ethernet (RoCE) network\nprofile. *RoCE VPC networks* are those that are\ncreated with an [RDMA RoCE network profile](/vpc/docs/rdma-network-profiles).\n\nRoCE VPC networks enable zonal workloads for\nhigh performance computing, including AI workloads in Google Cloud.\nThis page describes key differences in Cloud NGFW support\nfor RoCE VPC networks.\n\nSpecifications\n\nThe following firewall specifications apply to RoCE VPC\nnetworks:\n\n- **Supported firewall rules and policies** : RoCE VPC networks\n *only* support firewall rules in regional network firewall policies. They\n don't support global network firewall policies, hierarchical firewall\n policies, or VPC firewall rules.\n\n- **Region and policy type**: to use a regional network firewall policy\n with an RoCE VPC network, you must create the policy\n with the following attributes:\n\n - The region of the firewall policy must contain the zone used by the RoCE\n network profile of the RoCE VPC network.\n\n - You must set the firewall policy type of the firewall policy to\n `RDMA_ROCE_POLICY`.\n\n Consequently, a regional network firewall policy can *only* be used by RoCE\n VPC networks in a particular region. A regional network firewall\n policy can't be used by both RoCE VPC networks and regular\n VPC networks.\n- **RoCE firewall policy is stateless**: RoCE firewall policy processes each\n packet as an independent unit and doesn't keep track of ongoing connections.\n Therefore, to ensure two virtual machines (VMs) can communicate, you must\n create an allow ingress rule in both directions.\n\nImplied firewall rules\n\nRoCE VPC networks use the following implied firewall rules, which\nare different from the implied firewall rules used by regular VPC\nnetworks:\n\n- Implied allow egress\n- Implied allow ingress\n\nAn RoCE VPC network without any rules in an associated\nregional network firewall policy allows all egress and ingress traffic.\nThese implied firewall rules don't support\n[Firewall Rules Logging](/firewall/docs/firewall-rules-logging).\n\nRule specifications\n\nRules in a regional network firewall policy with the policy type\n`RDMA_ROCE_POLICY` must meet the following requirements:\n\n- **Ingress direction only** : the rule's direction must be ingress.\n You can't create egress firewall rules in a regional network firewall\n policy whose policy type is `RDMA_ROCE_POLICY`.\n\n- **Target parameter**: target secure tags are supported, but target\n service accounts are not.\n\n- **Source parameter** : only two of the following\n [source parameter values](/firewall/docs/firewall-policies-rule-details#sources)\n are supported:\n\n - Source IP address ranges (`src-ip-ranges`) are supported, but the only\n valid value is `0.0.0.0/0`.\n\n - Source secure tags (`src-secure-tags`) are fully supported. Using secure\n tags is the suggested way to segment workloads that are in the same RoCE\n VPC network.\n\n Source secure tags and source IP address ranges are mutually exclusive.\n For example, if you create a rule with `src-ip-ranges=0.0.0.0/0`, then you\n can't use source secure tags (`src-secure-tags`). Other source parameters that\n are part of\n [Cloud NGFW Standard](/firewall/docs/about-firewalls#firewall-standard)---source\n address groups, source domain names, source geolocations, source Google Threat Intelligence\n lists---aren't supported.\n | **Note:** Target secure tags and source secure tags apply to the VM network interfaces that send packets. For more information, see [Specifications](/firewall/docs/tags-firewalls-overview#specifications).\n- **Action parameter**: both allow and deny actions are supported, with the\n following constraints:\n\n - An ingress rule with `src-ip-ranges=0.0.0.0/0` can use either the `ALLOW`\n or `DENY` action.\n\n - An ingress rule with a source secure tag can only use the `ALLOW` action.\n\n- **Protocol and port parameters** : the only supported protocol is `all`\n (`--layer4-configs=all`). Rules that apply to specific protocols or ports\n aren't allowed.\n\nMonitoring and logging\n\n[Firewall Rules Logging](/firewall/docs/firewall-rules-logging) is\nsupported with the following constraints:\n\n- Logs for ingress allow firewall rules are published once per tunnel\n establishment and provide 2-tuple packet information.\n\n- Logs for ingress deny firewall rules are published as sampled packets and\n provide 5-tuple packet information. Logs are published at a maximum rate\n of once every 5 seconds, and all firewall logs are limited to 4,000 packets\n per 5 seconds.\n\nUnsupported features\n\nThe following features are unsupported:\n\n- [Security profiles](/firewall/docs/about-security-profiles) and\n [firewall endpoints](/firewall/docs/about-firewall-endpoints)\n\n- [Mirroring rules](/network-security-integration/docs/out-of-band/firewall-policies-overview#mirroring-rules)\n\nConfigure RoCE VPC networks\n\nTo create firewall rules for an RoCE VPC network, use these\nguidelines and resources:\n\n- The rules in a regional network firewall policy that an RoCE\n VPC network uses depend on target and source secure tags.\n Therefore, ensure that you are familiar with\n [create and manage secure tags](/firewall/docs/use-tags-for-firewalls) and\n [bind secure tags to VM instances](/firewall/docs/use-tags-for-firewalls#bind_secure_tags_to_vm_instances).\n\n- To create RoCE VPC networks and regional network\n firewall policies for RoCE VPC networks, see\n [Create and manage firewall rules for RoCE VPC networks](/firewall/docs/create-manage-roce-vpcs).\n\n- To control ingress traffic and segment your workloads when you create\n ingress rules in a regional network firewall policy, use the following steps:\n\n - Create an ingress deny firewall rule that specifies\n `src-ip-ranges=0.0.0.0/0` and applies to all VMs in the RoCE\n VPC network.\n\n - Create higher-priority ingress allow firewall rules that specify target\n secure tags and source secure tags.\n\n- To determine which firewall rules apply to a VM network interface or to view\n firewall rule logs, see\n [Get effective firewall rules for a VM interface](/firewall/docs/use-network-firewall-policies#get_effective_firewall_rules_for_a_vm_interface)\n and [Use Firewall Rules Logging](/firewall/docs/using-firewall-rules-logging).\n\nWhat's next\n\n- [RDMA RoCE network profile](/vpc/docs/rdma-network-profiles)\n- [Create and manage firewall rules for RoCE VPC networks](/firewall/docs/create-manage-roce-vpcs)"]]
