This page describes the VPC firewall rules logging structure in Cloud Logging. When a Virtual Private Cloud (VPC) rule with logging enabled applies to traffic to or from a virtual machine (VM) instance, Cloud Logging creates a log entry. Log records appear in the JSON payload field of a Logging LogEntry .
Firewall log records consist of base fields, which are the core fields of every log record, and an optional metadata fields. To reduce storage costs, you can exclude metadata fields.
Some log fields can contain other fields as values. For example, the connection
field uses the IpConnection
format, which includes the source and
destination IP address and port, and the protocol, in a single field.
The following table describes the log fields supported for VPC firewall rules.
| Field name | Field type: base or optional metadata | Description |
|---|---|---|
connection
|
Base | IpConnection
5-Tuple describing the source and destination IP address, source and destination port, and IP protocol of this connection. |
disposition
|
Base | Indicates whether the connection was ALLOWED
or DENIED
. |
rule_details
|
Base | RuleDetails
VPC firewall rule details. For VPC firewall rules, the format is network:{network name}/firewall:{firewall_name}
. |
instance
|
Metadata | InstanceDetails
VM instance details. In a Shared VPC configuration, project_id
corresponds to that of the service project. |
load_balancer_details
|
Metadata | LoadBalancingDetails
Details of the internal Application Load Balancer or internal proxy Network Load Balancer to which the firewall rule applies. When the target of a firewall rule is one of these load balancers, the instance
field is omitted. |
vpc
|
Metadata | VpcDetails
VPC network details. In a Shared VPC configuration, project_id
corresponds to that of the host project. |
remote_instance
|
Metadata | InstanceDetails
If the remote endpoint of the connection was a VM located in the Compute Engine, this field is populated with VM instance details. |
remote_vpc
|
Metadata | VpcDetails
If the remote endpoint of the connection was a VM that is located in a VPC network, this field is populated with the network details. |
remote_location
|
Metadata | GeographicDetails
If the remote endpoint of the connection was external to the VPC network, this field is populated with available location metadata. |
IpConnection
| Field | Type | Description |
|---|---|---|
src_ip
|
string | The source IP address. If the source is a Compute Engine VM, src_ip
is either the primary internal IP address or an address
in an alias IP range of the VM's network interface. The external IP
address is not shown. Logging shows the IP address of the VM as
the VM sees it on the packet header, the same as if you ran tcpdump
on the VM. |
src_port
|
integer | The source port. |
dest_ip
|
string | The destination IP address. If the destination is a Google Cloud VM, dest_ip
is either the primary internal IP address or an address
in an alias IP range of the VM's network interface. The external IP
address is not shown even if it was used in making the connection. |
dest_port
|
integer | The destination port. |
protocol
|
integer | IP protocol of the connection. |
RuleDetails
| Field | Type | Description |
|---|---|---|
reference
|
string | A unique identifier string referring to a resource-named firewall rule
bound to a single VPC network. The format for
VPC firewall rule is:network:{network name}/firewall:{VPC firewall rule name}
. |
priority
|
integer | The priority for the VPC firewall rule. |
action
|
string | Action applied to the connection. Supported values are ALLOW
or DENY
. |
direction
|
string | The direction that the VPC firewall rule applies to.
It can be INGRESS
or EGRESS
|
source_range[ ]
|
string | List of source ranges that theVPC firewall rule applies to. |
destination_range[ ]
|
string | List of destination ranges that the VPC firewall rule applies to. |
ip_port_info[ ]
|
string | List of IP protocols and applicable port ranges for rules. |
source_tag[ ]
|
string | Lists of source network tags the VPC firewall rule applies to. |
target_tag[ ]
|
string | Lists of target network tags the VPC firewall rule applies to. |
source_service_account[ ]
|
string | List of all the source service accounts that the VPC firewall rule applies to. |
target_service_account[ ]
|
string | List of all the target service accounts that the VPC firewall rule applies to. |
IpPortDetails
| Field | Type | Description |
|---|---|---|
ip_protocol
|
string | IP protocol that the VPC firewall rule applies to. Can be
set to ALL
if the rule applies to all IP protocols. |
port_range[ ]
|
string | List of applicable port ranges for VPC firewall rules.
For example, 8080-9090
. |
InstanceDetails
| Field | Type | Description |
|---|---|---|
project_id
|
string | ID of the project containing the VM. |
vm_name
|
string | Instance name of the VM. |
region
|
string | Region of the VM. |
zone
|
string | Zone of the VM. |
LoadBalancingDetails
| Field | Type | Description |
|---|---|---|
forwarding_rule_project_id
|
string | Google Cloud project ID that contains the forwarding rule. Sent when the load balancer is the target instead of a VM. |
type
|
string | Load balancer type: APPLICATION_LOAD_BALANCER
indicates
an internal Application Load Balancer. PROXY_NETWORK_LOAD_BALANCER
indicates an
internal proxy Network Load Balancer. Sent when
the load balancer is the target instead of a VM. |
scheme
|
string | Load balancer scheme, INTERNAL_MANAGED
. Sent when
the load balancer is the target instead of a VM. |
url_map_name
|
string | Name of the URL map. Only populated if the type
is APPLICATION_LOAD_BALANCER
. Sent when
the load balancer is the target instead of a VM. |
forwarding_rule_name
|
string | Name of the forwarding rule. Sent when the load balancer is the target instead of a VM. |
VpcDetails
| Field | Type | Description |
|---|---|---|
project_id
|
string | ID of the project containing the network. |
vpc_name
|
string | Network on which the VM is operating. |
subnetwork_name
|
string | Subnet on which the VM is operating. |
GeographicDetails
| Field | Type | Description |
|---|---|---|
continent
|
string | Name of the continent. Its applicable if the remote endpoint of the connection is external to the VPC. |
country
|
string | Name of the country. Its applicable if the remote endpoint of the connection is external to the VPC. |
region
|
string | Name of the region. Its applicable if the remote endpoint of the connection is external to the VPC. |
city
|
string | Name of the city. It's applicable if the remote endpoint of the connection is external to the VPC. |
