Console
    Start free

    Create global network firewall policies and rules

    To control network traffic and enhance security across your global network, use global network firewall policies and rules. Global network firewall policies centralize the management of ingress and egress traffic across multiple Virtual Private Cloud (VPC) networks. You define a policy once and attach it to one or more networks or subnets, ensuring consistent security posture and simplified administration.

    This page describes how to configure global network firewall policies by defining rules that specify actions for various traffic types. You learn how to allow or deny connections based on source, destination, protocol, and port. Before you read this page, ensure you are familiar with the concepts described in the Global network firewall policies overview .

    Create a global network firewall policy

    When you create a global network firewall policy using the Google Cloud console, you can associate the policy with a VPC network during creation. If you create the policy using the Google Cloud CLI, you must associate the policy with a network after you create the policy.

    The VPC network with which the global network firewall policy is associated must be in the same project as the global network firewall policy.

    Console

    1. In the Google Cloud console, go to the Firewall policiespage.

      Go to Firewall policies

    2. In the project selector list, select your project within your organization.

    3. Click Create firewall policy.

    4. In the Policy namefield, enter a name for the policy.

    5. For Policy type, select VPC policy.

    6. For Deployment scope, select Global.

    7. To create rules for your policy, click Continue.

    8. In the Add rulessection, click Create firewall rule. For more information about creating firewall rules, see the following:

    9. To create packet mirroring rules for your policy, click Continue.

    10. In the Add mirroring rulessection, click Create mirroring rule.

      For more information, see Create a firewall policy with a mirroring rule .

    11. If you want to associate the policy with a network, click Continue.

    12. In the Associate policy with networkssection, click Associate.

      For more information, see Associate a policy with a network .

    13. Click Create.

    gcloud

    gcloud compute network-firewall-policies create NETWORK_FIREWALL_POLICY_NAME 
\
    --description DESCRIPTION 
\
    --policy-type POLICY_TYPE 
\
    --global

    Replace the following:

    • NETWORK_FIREWALL_POLICY_NAME : a name for the policy
    • DESCRIPTION : a description for the policy
    • POLICY_TYPE : type of network firewall policy. For more information, see Specifications .

    Associate a policy with a network

    When you associate a firewall policy with a VPC network, all rules in the firewall policy, except the disabled rules, apply to the VPC network.

    Console

    1. In the Google Cloud console, go to the Firewall policiespage.

      Go to Firewall policies

    2. In the project selector menu, select your project that contains your policy.

    3. Click your policy.

    4. Click the Associationstab.

    5. Click Add association.

    6. Select the networks within the project.

    7. Click Associate.

    gcloud

    gcloud compute network-firewall-policies associations create \
    --firewall-policy POLICY_NAME 
\
    --network NETWORK_NAME 
\
    [ --name ASSOCIATION_NAME 
] \
    --global-firewall-policy

    Replace the following:

    • POLICY_NAME : either the short name or the system-generated name of the policy.
    • NETWORK_NAME : the name of your network.
    • ASSOCIATION_NAME : an optional name for the association; if unspecified, the name is set to network- NETWORK_NAME .

    Add firewall policy rule

    This section describes how to add rules in a global network firewall policy.

    Create an ingress rule for VM targets

    This section describes how to create an ingress rule that applies to network interfaces of Compute Engine instances.

    Console

    1. In the Google Cloud console, go to the Firewall policiespage.

      Go to Firewall policies

    2. In the project selector list, select a project that contains a global network firewall policy.

    3. In the Network firewall policiessection, click the name of a global network firewall policy in which you want to create a rule.

    4. In the Firewall rulessection, click Create firewall ruleand specify the following configuration parameters:

      1. Priority: the numeric evaluation order of the rule.

        The rules are evaluated from highest to lowest priority where 0 is the highest priority. Priorities must be unique for each rule. We recommend that you separate rule priority values by more than just a difference of one (for example, 100 , 200 , 300 ) so that you can create new rules between the existing rules later.

      2. Description: provide an optional description.

      3. Direction of traffic: select Ingress.

      4. Action on match: select one of the following:

        • Allow: to permit connections that match the rule parameters.
        • Deny: to block connections that match the rule parameters.
        • Go to next: to continue the firewall rule evaluation process .
        • Apply security profile group: sends the packets to a firewall endpoint or intercept endpoint group based on the Purposeyou select.
          • To send packets to a Cloud NGFW firewall endpoint, select Cloud NGFW Enterprise, then select a Security profile group. To enable TLS inspection of the packets, select Enable TLS inspection.
          • To send packets to a Network Security Integration intercept endpoint group for in-band integration, select NSI In-Band, then select a Security profile group.

      5. Logs: select Onto enable firewall rules logging or Offto disable firewall rules logging for this rule.

      6. Target: select one of the following:

        • Apply to all: Cloud NGFW uses the broadest instance targets .
        • Service accounts: narrows the broadest instance targets to the network interfaces of VM instances that use the service account you specify:
          • In the Service account scopesection, select In this project  > Target service account. This is to specify a service account in the same project as the global network firewall policy.
          • In the Service account scopesection, select In another project  > Target service account. This is to specify a service account in a Shared VPC service project.
        • Secure tags: narrows the broadest instance targets to the network interfaces of VM instances that are bound to at least one of the secure tag values that you specify. Click Select scope for tagsand select the organization or project that contains the tag values to match. To add more tag values, click Add tag.

      7. Source network context: specify a network context :

        • To skip filtering inbound traffic by network context, select All network contexts.
        • To filter inbound traffic to a specific network context, select Specific network context, and then select a network context:

      8. Source filters: specify additional source parameters. Some source parameters can't be used together, and your choice of source network context limits which source parameters you can use. For more information, see Sources for ingress rules and Ingress rule source combinations .

        • To filter inbound traffic by source IPv4 ranges, select IPv4, and then enter the CIDR blocks in the IP rangesfield. Use 0.0.0.0/0 for any IPv4 source.
        • To filter inbound traffic by source IPv6 ranges, select IPv6, and then enter the CIDR blocks into the IPv6 rangesfield. Use ::/0 for any IPv6 source.
        • To filter inbound traffic by source secure tag values, select Select scope for tagsin the Secure tagssection. Then, provide tag keys and tag values. To add more tag values, click Add tag.
        • To filter inbound traffic by source FQDN, enter FQDNs in the FQDNsfield. For more information, see FQDN objects .
        • To filter inbound traffic by source geolocation, select one or more locations from the Geolocationsfield. For more information, see Geolocation objects .
        • To filter inbound traffic by source address group, select one or more address groups from the Address groupsfield. For more information, see Address groups for firewall policies .
        • To filter inbound traffic by source Google Threat Intelligence lists, select one or more Google Threat Intelligence lists from the Google Cloud Threat Intelligencefield. For more information, see Google Threat Intelligence for firewall policy rules .

      9. Destination: specify optional destination parameters. For more information, see Destinations for ingress rules .

        • To skip filtering inbound traffic by destination IP address, select None.
        • To filter inbound traffic to by destination IP address, select IPv4or IPv6and then enter one or more CIDRs using the same format used for source IPv4 ranges or source IPv6 ranges.

      10. Protocols and ports: specify the protocols and destination ports for traffic to match the rule. For more information, see Protocols and ports .

      11. Enforcement: specify whether the firewall rule is enforced or not:

        • Enabled: creates the rule and begins enforcing the rule on new connections.
        • Disabled: creates the rule but doesn't enforce the rule on new connections.

    5. Click Create.

    gcloud

    gcloud compute network-firewall-policies rules create PRIORITY 
\
    --firewall-policy= POLICY_NAME 
\
    --project= PROJECT_ID 
 \
        --global-firewall-policy \
    --description= DESCRIPTION 
\
    --direction=INGRESS \
    --action= ACTION 
\
    [--enable-logging | --no-enable-logging] \
    [--disabled | --no-disabled] \
    [--target-secure-tags= TARGET_SECURE_TAGS 
] \
        [--target-service-accounts= TARGET_SERVICE_ACCOUNTS 
] \
    [--layer4-configs= LAYER_4_CONFIGS 
] \
    [--src-network-context= SRC_NETWORK_CONTEXT 
] \
        [--src-networks= SRC_VPC_NETWORKS 
] \
    [--src-ip-ranges= SRC_IP_RANGES 
] \
        [--src-address-groups= SRC_ADDRESS_GROUPS 
] \
        [--src-fqdns= SRC_DOMAIN_NAMES 
] \
        [--src-secure-tags= SRC_SECURE_TAGS 
] \
        [--src-region-codes= SRC_COUNTRY_CODES 
] \
        [--src-threat-intelligence= SRC_THREAT_LIST_NAMES 
] \
    [--dest-ip-ranges= DEST_IP_RANGES 
]

    Replace the following:

    • PRIORITY : the numeric evaluation order of the rule within the policy. The rules are evaluated from highest to lowest priority, where 0 is the highest priority. Priorities must be unique for each rule. We recommend that you separate rule priority values by more than just a difference of one (for example, 100 , 200 , 300 ) so that you can create new rules between the existing rules later.
    • POLICY_NAME : the name of the global network firewall policy in which you want to create the rule.
    • PROJECT_ID : the project ID that contains the global network firewall policy.
    • DESCRIPTION : an optional description for the new rule.
    • ACTION : specify one of the following actions:
      • apply_security_profile_group : sends the packets to a firewall endpoint or intercept endpoint group .
        • When the action is apply_security_profile_group , you must include --security-profile-group SECURITY_PROFILE_GROUP , where SECURITY_PROFILE_GROUP is the name of a security profile group .
        • The security profile group's security profile can reference either a Cloud NGFW firewall endpoint or a Network Security Integration intercept endpoint group for in-band integration.
        • If the security profile group's security profile references a Cloud NGFW firewall endpoint, include either --tls-inspect or --no-tls-inspect to enable or disable TLS inspection.
    • The --enable-logging and --no-enable-logging flags enable or disable VPC firewall rules logging.
    • The --disabled and --no-disabled flags control whether the rule is disabled (not enforced) or enabled (enforced).
    • Specify a target :
      • If you omit both the --target-secure-tags and --target-service-accounts flags, Cloud NGFW uses the broadest instance targets .
      • TARGET_SECURE_TAGS : a comma-separated list of secure tag values that narrows the broadest instance targets to the network interfaces of VM instances that are bound to at least one of the secure tag values.
      • TARGET_SERVICE_ACCOUNTS : a comma-separated list of service accounts that narrows the broadest instance targets to the network interfaces of VM instances that use one of the service accounts.
    • LAYER_4_CONFIGS : a comma-separated list of Layer 4 configs. Each Layer 4 config can be one of the following:
      • An IP protocol name ( tcp ) or IANA IP protocol number ( 17 ) without any destination port.
      • An IP protocol name and destination port separated by a colon ( tcp:80 ).
      • An IP protocol name and destination port range separated by a colon using a dash to separate the beginning and ending destination ports ( tcp:5000-6000 ). For more information, see Protocols and ports .
    • Specify a source for the ingress rule . For more information, Ingress rule source combinations :
      • SRC_NETWORK_CONTEXT : defines a source network contexts to be used in conjunction with another supported source parameter to produce a source combination. Valid values when --target-type=INSTANCES are: INTERNET , NON_INTERNET , VPC_NETWORKS , or INTRA_VPC . For more information, see Network contexts .
      • SRC_VPC_NETWORKS : a comma-separated list of VPC networks specified by their URL identifiers. Specify this flag only when the --src-network-context is VPC_NETWORKS .
      • SRC_IP_RANGES : a comma-separated list of IP address ranges in CIDR format. Ranges in the list must all be either IPv4 CIDRs or IPv6 CIDRs, not a combination of both.
      • SRC_ADDRESS_GROUPS : a comma-separated list of address groups specified by their unique URL identifiers . Address groups in the list must contain all IPv4 addresses or all IPv6 addresses, not a combination of both.
      • SRC_DOMAIN_NAMES : a comma-separated list of FQDN objects specified in the domain name format .
      • SRC_SECURE_TAGS : a comma-separated list of Tags . You cannot use the --src-secure-tags flag if the --src-network-context is INTERNET .
      • SRC_COUNTRY_CODES : a comma-separated list of two-letter country codes. For more information, see Geolocation objects . You cannot use the --src-region-codes flag if the --src-network-context is NON_INTERNET , VPC_NETWORKS , or INTRA_VPC .
      • SRC_THREAT_LIST_NAMES : a comma-separated list of names of Google Threat Intelligence lists. For more information, see Google Threat Intelligence for firewall policy rules . You cannot use the --src-threat-intelligence flag if the --src-network-context is NON_INTERNET , VPC_NETWORKS , or INTRA_VPC .
    • Optionally, specify a destination for the ingress rule :
      • DEST_IP_RANGES : a comma-separated list of IP address ranges in CIDR format. Ranges in the list must all be either IPv4 CIDRs or IPv6 CIDRs, not a combination of both.

    Create an egress rule for VM targets

    The following directions show how to create an egress rule . Egress rules only apply to targets that are network interfaces of Compute Engine instances.

    Console

    1. In the Google Cloud console, go to the Firewall policiespage.

      Go to Firewall policies

    2. In the project selector list, select a project that contains a global network firewall policy.

    3. In the Network firewall policiessection, click the name of a global network firewall policy in which you want to create a rule.

    4. In the Firewall rulessection, click Create firewall ruleand specify the following configuration parameters:

      1. Priority: the numeric evaluation order of the rule.

        The rules are evaluated from highest to lowest priority where 0 is the highest priority. Priorities must be unique for each rule. We recommend that you separate rule priority values by more than just a difference of one (for example, 100 , 200 , 300 ) so that you can create new rules between the existing rules later.

      2. Description: provide an optional description.

      3. Direction of traffic: select Egress.

      4. Action on match: select one of the following:

        • Allow: to permit connections that match the rule parameters.
        • Deny: to block connections that match the rule parameters.
        • Go to next: to continue the firewall rule evaluation process .
        • Apply security profile group: sends the packets to a firewall endpoint or intercept endpoint group based on the Purposeyou select.
          • To send packets to a Cloud NGFW firewall endpoint, select Cloud NGFW Enterprise, then select a Security profile group. To enable TLS inspection of the packets, select Enable TLS inspection.
          • To send packets to a Network Security Integration intercept endpoint group for in-band integration, select NSI In-Band, then select a Security profile group.

      5. Logs: select Onto enable firewall rules logging or Offto disable firewall rules logging for this rule.

      6. Target: select one of the following:

        • Apply to all: Cloud NGFW uses the broadest instance targets .
        • Service accounts: narrows the broadest instance targets to the network interfaces of VM instances that use the service account you specify:
          • In the Service account scopesection, select In this project  > Target service account. This is to specify a service account in the same project as the global network firewall policy.
          • In the Service account scopesection, select In another project  > Target service account. This is to specify a service account in a Shared VPC service project.
        • Secure tags: narrows the broadest instance targets to the network interfaces of VM instances that are bound to at least one of the secure tag values that you specify. Click Select scope for tagsand select the organization or project that contains the tag values to match. To add more tag values, click Add tag.

      7. Destination network context: specify a network context :

      8. Destination filters: specify additional destination parameters. Some destination parameters can't be used together, and your choice of destination network context limits which destination filters you can use. For more information, see Destinations for egress rules and Egress rule destination combinations .

        • To filter outgoing traffic by destination IPv4 ranges, select IPv4, and then enter the CIDR blocks in the IP rangesfield. Use 0.0.0.0/0 for any IPv4 destination.
        • To filter outgoing traffic by destination IPv6 ranges, select IPv6, and then enter the CIDR blocks into the IPv6 rangesfield. Use ::/0 for any IPv6 destination.
        • To filter outgoing traffic by destination FQDN, enter FQDNs in the FQDNsfield. For more information, see FQDN objects .
        • To filter outgoing traffic by destination geolocation, select one or more locations from the Geolocationsfield. For more information, see Geolocation objects .
        • To filter outgoing traffic by destination address group, select one or more address groups from the Address groupsfield. For more information, see Address groups for firewall policies .
        • To filter outgoing traffic by destination Google Threat Intelligence lists, select one or more Google Threat Intelligence lists from the Google Cloud Threat Intelligencefield. For more information, see Google Threat Intelligence for firewall policy rules .

      9. Source: specify optional source parameters. For more information, see Sources for egress rules .

        • To skip filtering outgoing traffic by source IP address, select None.
        • To filter outgoing traffic to by source IP address, select IPv4or IPv6and then enter one or more CIDRs using the same format used for destination IPv4 ranges or destination IPv6 ranges.

      10. Protocols and ports: specify the protocols and destination ports for traffic to match the rule. For more information, see Protocols and ports .

      11. Enforcement: specify whether the firewall rule is enforced or not:

        • Enabled: creates the rule and begins enforcing the rule on new connections.
        • Disabled: creates the rule but doesn't enforce the rule on new connections.

    5. Click Create.

    gcloud

    gcloud compute network-firewall-policies rules create PRIORITY 
\
    --firewall-policy= POLICY_NAME 
\
    --project= PROJECT_ID 
 \
        --global-firewall-policy \
    --description= DESCRIPTION 
\
    --direction=EGRESS \
    --action= ACTION 
\
    [--enable-logging | --no-enable-logging] \
    [--disabled | --no-disabled] \
    [--target-secure-tags= TARGET_SECURE_TAGS 
] \
        [--target-service-accounts= TARGET_SERVICE_ACCOUNTS 
] \
    [--layer4-configs= LAYER_4_CONFIGS 
] \
    [--dest-network-context= DEST_NETWORK_CONTEXT 
] \
    [--dest-ip-ranges= DEST_IP_RANGES 
] \
        [--dest-address-groups= DEST_ADDRESS_GROUPS 
] \
        [--dest-fqdns= DEST_DOMAIN_NAMES 
] \
        [--dest-region-codes= DEST_COUNTRY_CODES 
] \
        [--dest-threat-intelligence= DEST_THREAT_LIST_NAMES 
] \
    [--src-ip-ranges= SRC_IP_RANGES 
]

    Replace the following:

    • PRIORITY : the numeric evaluation order of the rule within the policy. The rules are evaluated from highest to lowest priority, where 0 is the highest priority. Priorities must be unique for each rule. We recommend that you separate rule priority values by more than just a difference of one (for example, 100 , 200 , 300 ) so that you can create new rules between the existing rules later.
    • POLICY_NAME : the name of the global network firewall policy in which you want to create the rule.
    • PROJECT_ID : the project ID that contains the global network firewall policy.
    • DESCRIPTION : an optional description for the new rule.
    • ACTION : specify one of the following actions:
      • apply_security_profile_group : sends the packets to a firewall endpoint or intercept endpoint group .
        • When the action is apply_security_profile_group , you must include --security-profile-group SECURITY_PROFILE_GROUP , where SECURITY_PROFILE_GROUP is the name of a security profile group .
        • The security profile group's security profile can reference either a Cloud NGFW firewall endpoint or a Network Security Integration intercept endpoint group for in-band integration.
        • If the security profile group's security profile references a Cloud NGFW firewall endpoint, include either --tls-inspect or --no-tls-inspect to enable or disable TLS inspection.
    • The --enable-logging and --no-enable-logging flags enable or disable VPC firewall rules logging.
    • The --disabled and --no-disabled flags control whether the rule is disabled (not enforced) or enabled (enforced).
    • Specify a target :
      • If you omit both the --target-secure-tags and --target-service-accounts flags, Cloud NGFW uses the broadest instance targets .
      • TARGET_SECURE_TAGS : a comma-separated list of secure tag values that narrows the broadest instance targets to the network interfaces of VM instances that are bound to at least one of the secure tag values.
      • TARGET_SERVICE_ACCOUNTS : a comma-separated list of service accounts that narrows the broadest instance targets to the network interfaces of VM instances that use one of the service accounts.
    • LAYER_4_CONFIGS : a comma-separated list of Layer 4 configs. Each Layer 4 config can be one of the following:
      • An IP protocol name ( tcp ) or IANA IP protocol number ( 17 ) without any destination port.
      • An IP protocol name and destination port separated by a colon ( tcp:80 ).
      • An IP protocol name and destination port range separated by a colon using a dash to separate the beginning and ending destination ports ( tcp:5000-6000 ). For more information, see Protocols and ports .
    • Specify a destination for the egress rule . For more information, Egress rule destination combinations :
      • DEST_NETWORK_CONTEXT : defines a destination network contexts to be used in conjunction with another supported destination parameter to produce a destination combination. Valid values are INTERNET and NON_INTERNET . For more information, see Network contexts .
      • DEST_IP_RANGES : a comma-separated list of IP address ranges in CIDR format. Ranges in the list must all be either IPv4 CIDRs or IPv6 CIDRs, not a combination of both.
      • DEST_ADDRESS_GROUPS : a comma-separated list of address groups specified by their unique URL identifiers .
      • DEST_DOMAIN_NAMES : a comma-separated list of FQDN objects specified in the domain name format .
      • DEST_COUNTRY_CODES : a comma-separated list of two-letter country codes. For more information, see Geolocation objects .
      • DEST_THREAT_LIST_NAMES : a comma-separated list of names of Google Threat Intelligence lists. For more information, see Google Threat Intelligence for firewall policy rules .
    • Optionally, specify a source for the egress rule :
      • SRC_IP_RANGES : a comma-separated list of IP address ranges in CIDR format. Ranges in the list must all be either IPv4 CIDRs or IPv6 CIDRs, not a combination of both.

    What's next
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: