Console
    Start free

    Firewall policies

    Firewall policies let you group several firewall rules so that you can update them all at once, effectively controlled by Identity and Access Management (IAM) roles. These policies contain rules that can explicitly deny or allow connections, as do Virtual Private Cloud (VPC) firewall rules .

    Hierarchical firewall policies

    Hierarchical firewall policies let you group rules into a policy object that can apply to many VPC networks in one or more projects. You can associate hierarchical firewall policies with an entire organization or individual folders .

    For hierarchical firewall policy specifications and details, see Hierarchical firewall policies .

    Global network firewall policies

    Global network firewall policies let you group rules into a policy object that can apply to all regions of a VPC network.

    For global network firewall policy specifications and details, see Global network firewall policies .

    Regional network firewall policies

    Regional network firewall policies let you group rules into a policy object that can apply to a specific region of a VPC network.

    For regional firewall policy specifications and details, see Regional network firewall policies .

    Regional system firewall policies

    Regional system firewall policies are similar to regional network firewall policies, but they are managed by Google. Regional system firewall policies have the following characteristics:

    • Google Cloud evaluates rules in regional system firewall policies immediately after evaluating rules in hierarchical firewall policies. For more information, see Firewall rule evaluation process .

    • You can't modify a rule in a regional system firewall policy, except to enable or disable firewall rule logging. Instead, Google services like Google Kubernetes Engine (GKE) manage rules in regional system firewall policies using internal APIs.

    • Google Cloud creates a regional system firewall policy in a region of a VPC network when a Google service requires rules in that region of the network. Google Cloud can associate more than one regional system firewall policy with a region of a VPC network based on the requirements of Google services.

    • You aren't charged for the evaluation of rules in regional system firewall policies.

    Network profile interaction

    Regular VPC networks support firewall rules in hierarchical firewall policies, global network firewall policies, regional network firewall policies, and VPC firewall rules. All firewall rules are programmed as part of the Andromeda network virtualization stack .

    VPC networks that use certain network profiles restrict the firewall policies and rule attributes that you can use. For RoCE VPC networks, see Cloud NGFW for RoCE VPC networks instead of this page.

    Network firewall policy enforcement order

    Each regular VPC network has a network firewall policy enforcement order that controls when rules in global network firewall policies and regional network firewall policies are evaluated.

    • AFTER_CLASSIC_FIREWALL (default): Cloud NGFW evaluates VPC firewall rules before it evaluates rules in global network firewall policies and regional network firewall policies.

    • BEFORE_CLASSIC_FIREWALL : Cloud NGFW evaluates rules in global network firewall policies and regional network firewall policies before it evaluates VPC firewall rules.

    To change the network firewall policy enforcement order, do any one of the following:

    • Use the networks.patch method and set the networkFirewallPolicyEnforcementOrder attribute of the VPC network.

    • Use the gcloud compute networks update command with the --network-firewall-policy-enforcement-order flag.

      For example:

      gcloud compute networks update VPC_NETWORK_NAME 
\
    --network-firewall-policy-enforcement-order= ENFORCEMENT_ORDER

    Firewall rule evaluation process

    This section describes the order in which Cloud NGFW evaluates rules that apply to target resources in regular VPC networks.

    Each firewall rule is either an ingress rule or an egress rule, based on the direction of traffic:

    • Ingress rules apply to packets for a new connection that a target resource receives. Supported target resources for ingress rules are as follows:

      • Network interfaces of virtual machine (VM) instances.

      • Managed Envoy proxies used by internal Application Load Balancers and internal proxy Network Load Balancers ( Preview ).

    • Egress rules apply to packets for a new connection that a target VM network interface sends.

    Cloud NGFW always evaluates rules in hierarchical firewall policies and regional system firewall policies before it evaluates any other firewall rules. You control the order in which Cloud NGFW evaluates other firewall rules by choosing a network firewall policy enforcement order . The network firewall policy enforcement order can be either AFTER_CLASSIC_FIREWALL or BEFORE_CLASSIC_FIREWALL .

    AFTER_CLASSIC_FIREWALL network firewall policy enforcement order

    When the network firewall policy enforcement order is AFTER_CLASSIC_FIREWALL , Cloud NGFW evaluates rules in global and regional network firewall policies after evaluating VPC firewall rules. This is the default evaluation order.

    In a regular VPC network that uses the AFTER_CLASSIC_FIREWALL enforcement order, the complete firewall rule evaluation order is the following:

    1. Hierarchical firewall policies.

      Cloud NGFW evaluates hierarchical firewall policies in the following order:

      1. The hierarchical firewall policy associated with the organization that contains the target resource.
      2. Hierarchical firewall policies associated with folder ancestors, from the top-level folder down to the folder that contains the target resource's project.

      When evaluating rules in each hierarchical firewall policy, Cloud NGFW performs the following steps:

      1. Disregard all rules whose targets don't match the target resource.
      2. Disregard all rules that don't match the packet's direction.
      3. Evaluate the remaining rules from the highest to the lowest priority.

        Evaluation stops when either one of the following conditions is met:

        • A rule that applies to the target resource matches the traffic.
        • No rules that apply to the target resource match the traffic.

      In a hierarchical firewall policy, at most, one rule can match traffic. The firewall rule's action on match can be one of the following:

      • allow : the rule allows the traffic, and all rule evaluation stops.
      • deny : the rule denies the traffic, and all rule evaluation stops.
      • apply_security_profile_group : the rule forwards the traffic to a configured firewall endpoint , and all rule evaluation stops. The decision to allow or drop the packet depends on the configured security profile of the security profile group.
      • goto_next : the rule evaluation continues to one of the following:
        • A hierarchical firewall policy associated with a folder ancestor closer to the target resource, if it exists.
        • The next step in the evaluation order, if all hierarchical firewall policies have been evaluated.

      If no rule in a hierarchical firewall policy matches the traffic, Cloud NGFW uses an implied goto_next action. This action continues the evaluation to one of the following:

      • A hierarchical firewall policy associated with a folder ancestor closer to the target resource, if it exists.
      • The next step in the evaluation order, if all hierarchical firewall policies have been evaluated.

    2. Regional system firewall policies.

      When evaluating regional system firewall policy rules, Cloud NGFW performs the following steps:

      1. Disregard all rules whose targets don't match the target resource.
      2. Disregard all rules that don't match the packet's direction.
      3. Evaluate the remaining rules from the highest to the lowest priority.

        Evaluation stops when either one of the following conditions is met:

        • A rule that applies to the target resource matches the traffic.
        • No rules that apply to the target resource match the traffic.

      In a regional system firewall policy, at most, one rule can match traffic. The firewall rule's action on match can be one of the following:

      • allow : the rule allows the traffic, and all rule evaluation stops.
      • deny : the rule denies the traffic, and all rule evaluation stops.
      • goto_next : the rule evaluation continues to
        • A regional system firewall policy with the next highest association priority, if it exists.
        • The next step in the evaluation order, if all regional system firewall policies have been evaluated.

      If no rule in a regional system firewall policy matches the traffic, Cloud NGFW uses an implied goto_next action. This action continues the evaluation to one of the following:

      • A regional system firewall policy with the next highest association priority, if it exists.
      • The next step in the evaluation order, if all regional system firewall policies have been evaluated.

    3. VPC firewall rules.

      When evaluating VPC firewall rules, Cloud NGFW performs the following steps:

      1. Disregard all rules whose targets don't match the target resource.
      2. Disregard all rules that don't match the packet's direction.
      3. Evaluate the remaining rules from the highest to the lowest priority.

        Evaluation stops when either one of the following conditions is met:

        • A rule that applies to the target resource matches the traffic.
        • No rules that apply to the target resource match the traffic.

      When one or two VPC firewall rules match traffic, the firewall rule's action on match can be one of the following:

      • allow : the rule allows the traffic, and all rule evaluation stops.
      • deny : the rule denies the traffic, and all rule evaluation stops.

      If two rules match, they must have the same priority but different actions. In this case, Cloud NGFW enforces the deny VPC firewall rule, and ignores the allow VPC firewall rule.

      If no VPC firewall rules match the traffic, Cloud NGFW uses an implied goto_next action to continue to the next step in the evaluation order.

    4. Global network firewall policy.

      When evaluating rules in a global network firewall policy, Cloud NGFW performs the following steps:

      1. Disregard all rules whose targets don't match the target resource.
      2. Disregard all rules that don't match the packet's direction.
      3. Evaluate the remaining rules from the highest to the lowest priority.

        Evaluation stops when either one of the following conditions is met:

        • A rule that applies to the target resource matches the traffic.
        • No rules that apply to the target resource match the traffic.

      In a global network firewall policy, at most, one rule can match traffic. The firewall rule's action on match can be one of the following:

      • allow : the rule allows the traffic, and all rule evaluation stops.
      • deny : the rule denies the traffic, and all rule evaluation stops.
      • apply_security_profile_group : the rule forwards the traffic to a configured firewall endpoint , and all rule evaluation stops. The decision to allow or drop the packet depends on the configured security profile of the security profile group.
      • goto_next : the rule evaluation continues to the regional network firewall policy step in the evaluation order.

      If no rule in a global network firewall policy matches the traffic, Cloud NGFW uses an implied goto_next action. This action continues the evaluation to the regional network firewall policy step in the evaluation order.

    5. Regional network firewall policies.

      Cloud NGFW evaluates rules in regional network firewall policies that are associated with the region and VPC network of the target resource.

      When evaluating rules in a regional network firewall policy, Cloud NGFW performs the following steps:

      1. Disregard all rules whose targets don't match the target resource.
      2. Disregard all rules that don't match the packet's direction.
      3. Evaluate the remaining rules from the highest to the lowest priority.

        Evaluation stops when either one of the following conditions is met:

        • A rule that applies to the target resource matches the traffic.
        • No rules that apply to the target resource match the traffic.

      In a regional network firewall policy, at most, one rule can match traffic. The firewall rule's action on match can be one of the following:

      • allow : the rule allows the traffic, and all rule evaluation stops.
      • deny : the rule denies the traffic, and all rule evaluation stops.
      • goto_next : the rule evaluation continues to the next step in the evaluation order.

      If no rule in a regional network firewall policy matches the traffic, Cloud NGFW uses an implied goto_next action. This action continues the evaluation to the next step in the evaluation order.

    6. Last step— implied action.

      Cloud NGFW applies an implied action if firewall rule evaluation has continued through every previous step by following explicit or implicit goto_next actions. The implied action depends on the direction of the traffic:

      • For the ingress traffic, the implied action also depends on the target resource:

        • If the target resource is a network interface of a VM instance, the implied ingress action is deny .

        • If the target resource is a forwarding rule of an internal Application Load Balancer or internal proxy Network Load Balancer, the implied ingress is allow .

      • For the egress traffic, the implied action is allow .

    AFTER_CLASSIC_FIREWALL diagram

    The following diagram illustrates the AFTER_CLASSIC_FIREWALL network firewall policy enforcement order:

    Firewall rule resolution flow.
    Figure 1. Firewall rule resolution flow if the network firewall policy enforcement order is AFTER_CLASSIC_FIREWALL (click to enlarge).

    BEFORE_CLASSIC_FIREWALL network firewall policy enforcement order

    When the network firewall policy enforcement order is BEFORE_CLASSIC_FIREWALL , Cloud NGFW evaluates rules in global and regional network firewall policies before evaluating VPC firewall rules.

    In a regular VPC network that uses the BEFORE_CLASSIC_FIREWALL enforcement order, the complete firewall rule evaluation order is the following:

    1. Hierarchical firewall policies.

      Cloud NGFW evaluates hierarchical firewall policies in the following order:

      1. The hierarchical firewall policy associated with the organization that contains the target resource.
      2. Hierarchical firewall policies associated with folder ancestors, from the top-level folder down to the folder that contains the target resource's project.

      When evaluating rules in each hierarchical firewall policy, Cloud NGFW performs the following steps:

      1. Disregard all rules whose targets don't match the target resource.
      2. Disregard all rules that don't match the packet's direction.
      3. Evaluate the remaining rules from the highest to the lowest priority.

        Evaluation stops when either one of the following conditions is met:

        • A rule that applies to the target resource matches the traffic.
        • No rules that apply to the target resource match the traffic.

      In a hierarchical firewall policy, at most, one rule can match traffic. The firewall rule's action on match can be one of the following:

      • allow : the rule allows the traffic, and all rule evaluation stops.
      • deny : the rule denies the traffic, and all rule evaluation stops.
      • apply_security_profile_group : the rule forwards the traffic to a configured firewall endpoint , and all rule evaluation stops. The decision to allow or drop the packet depends on the configured security profile of the security profile group.
      • goto_next : the rule evaluation continues to one of the following:
        • A hierarchical firewall policy associated with a folder ancestor closer to the target resource, if it exists.
        • The next step in the evaluation order, if all hierarchical firewall policies have been evaluated.

      If no rule in a hierarchical firewall policy matches the traffic, Cloud NGFW uses an implied goto_next action. This action continues the evaluation to one of the following:

      • A hierarchical firewall policy associated with a folder ancestor closer to the target resource, if it exists.
      • The next step in the evaluation order, if all hierarchical firewall policies have been evaluated.

    2. Regional system firewall policies.

      When evaluating regional system firewall policy rules, Cloud NGFW performs the following steps:

      1. Disregard all rules whose targets don't match the target resource.
      2. Disregard all rules that don't match the packet's direction.
      3. Evaluate the remaining rules from the highest to the lowest priority.

        Evaluation stops when either one of the following conditions is met:

        • A rule that applies to the target resource matches the traffic.
        • No rules that apply to the target resource match the traffic.

      In a regional system firewall policy, at most, one rule can match traffic. The firewall rule's action on match can be one of the following:

      • allow : the rule allows the traffic, and all rule evaluation stops.
      • deny : the rule denies the traffic, and all rule evaluation stops.
      • goto_next : the rule evaluation continues to
        • A regional system firewall policy with the next highest association priority, if it exists.
        • The next step in the evaluation order, if all regional system firewall policies have been evaluated.

      If no rule in a regional system firewall policy matches the traffic, Cloud NGFW uses an implied goto_next action. This action continues the evaluation to one of the following:

      • A regional system firewall policy with the next highest association priority, if it exists.
      • The next step in the evaluation order, if all regional system firewall policies have been evaluated.

    3. Global network firewall policy.

      When evaluating rules in a global network firewall policy, Cloud NGFW performs the following steps:

      1. Disregard all rules whose targets don't match the target resource.
      2. Disregard all rules that don't match the packet's direction.
      3. Evaluate the remaining rules from the highest to the lowest priority.

        Evaluation stops when either one of the following conditions is met:

        • A rule that applies to the target resource matches the traffic.
        • No rules that apply to the target resource match the traffic.

      In a global network firewall policy, at most, one rule can match traffic. The firewall rule's action on match can be one of the following:

      • allow : the rule allows the traffic, and all rule evaluation stops.
      • deny : the rule denies the traffic, and all rule evaluation stops.
      • apply_security_profile_group : the rule forwards the traffic to a configured firewall endpoint , and all rule evaluation stops. The decision to allow or drop the packet depends on the configured security profile of the security profile group.
      • goto_next : the rule evaluation continues to the regional network firewall policy step in the evaluation order.

      If no rule in a global network firewall policy matches the traffic, Cloud NGFW uses an implied goto_next action. This action continues the evaluation to the regional network firewall policy step in the evaluation order.

    4. Regional network firewall policies.

      Cloud NGFW evaluates rules in regional network firewall policies that are associated with the region and VPC network of the target resource.

      When evaluating rules in a regional network firewall policy, Cloud NGFW performs the following steps:

      1. Disregard all rules whose targets don't match the target resource.
      2. Disregard all rules that don't match the packet's direction.
      3. Evaluate the remaining rules from the highest to the lowest priority.

        Evaluation stops when either one of the following conditions is met:

        • A rule that applies to the target resource matches the traffic.
        • No rules that apply to the target resource match the traffic.

      In a regional network firewall policy, at most, one rule can match traffic. The firewall rule's action on match can be one of the following:

      • allow : the rule allows the traffic, and all rule evaluation stops.
      • deny : the rule denies the traffic, and all rule evaluation stops.
      • goto_next : the rule evaluation continues to the next step in the evaluation order.

      If no rule in a regional network firewall policy matches the traffic, Cloud NGFW uses an implied goto_next action. This action continues the evaluation to the next step in the evaluation order.

    5. VPC firewall rules.

      When evaluating VPC firewall rules, Cloud NGFW performs the following steps:

      1. Disregard all rules whose targets don't match the target resource.
      2. Disregard all rules that don't match the packet's direction.
      3. Evaluate the remaining rules from the highest to the lowest priority.

        Evaluation stops when either one of the following conditions is met:

        • A rule that applies to the target resource matches the traffic.
        • No rules that apply to the target resource match the traffic.

      When one or two VPC firewall rules match traffic, the firewall rule's action on match can be one of the following:

      • allow : the rule allows the traffic, and all rule evaluation stops.
      • deny : the rule denies the traffic, and all rule evaluation stops.

      If two rules match, they must have the same priority but different actions. In this case, Cloud NGFW enforces the deny VPC firewall rule, and ignores the allow VPC firewall rule.

      If no VPC firewall rules match the traffic, Cloud NGFW uses an implied goto_next action to continue to the next step in the evaluation order.

    6. Last step— implied action.

      Cloud NGFW applies an implied action if firewall rule evaluation has continued through every previous step by following explicit or implicit goto_next actions. The implied action depends on the direction of the traffic:

      • For the ingress traffic, the implied action also depends on the target resource:

        • If the target resource is a network interface of a VM instance, the implied ingress action is deny .

        • If the target resource is a forwarding rule of an internal Application Load Balancer or internal proxy Network Load Balancer, the implied ingress is allow .

      • For the egress traffic, the implied action is allow .

    BEFORE_CLASSIC_FIREWALL diagram

    The following diagram illustrates the BEFORE_CLASSIC_FIREWALL network firewall policy enforcement order:

    Firewall rule resolution flow.
    Figure 2. Firewall rule resolution flow if the network firewall policy enforcement order is BEFORE_CLASSIC_FIREWALL (click to enlarge).

    Effective firewall rules

    Hierarchical firewall policy rules, VPC firewall rules, and global and regional network firewall policy rules control connections. You might find it helpful to see all the firewall rules that affect an individual network or VM interface.

    Network effective firewall rules

    You can view all firewall rules applied to a VPC network . The list includes all of the following kinds of rules:

    • Rules inherited from hierarchical firewall policies
    • VPC firewall rules
    • Rules applied from the global and regional network firewall policies

    Instance effective firewall rules

    You can view all firewall rules applied to a VM's network interface . The list includes all of the following kinds of rules:

    • Rules inherited from hierarchical firewall policies
    • Rules applied from the interface's VPC firewall
    • Rules applied from the global and regional network firewall policies

    The rules are ordered from the organization level down to the VPC network. Only rules that apply to the VM interface are shown. Rules in other policies aren't shown.

    To view the effective firewall policy rules within a region, see Get effective regional firewall policies for a network .

    Predefined rules

    When you create a hierarchical firewall policy, a global network firewall policy, or a regional network firewall policy, Cloud NGFW adds predefined rules to the policy. The predefined rules that Cloud NGFW adds to the policy depend on how you create the policy.

    If you create a firewall policy using the Google Cloud console, Cloud NGFW adds the following rules to the new policy:

    1. Goto-next rules for private IPv4 ranges
    2. Predefined Google Threat Intelligence deny rules
    3. Predefined geolocation deny rules
    4. Lowest possible priority goto-next rules

    If you create a firewall policy using the Google Cloud CLI or the API, Cloud NGFW adds only the lowest possible priority goto-next rules to the policy.

    All predefined rules in a new firewall policy purposefully use low priorities (large priority numbers) so you can override them by creating rules with higher priorities. Except for the lowest possible priority goto-next rules , you can also customize the predefined rules.

    Goto-next rules for private IPv4 ranges

    • An egress rule with destination IPv4 ranges 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 , priority 1000 , and goto_next action.

    • An ingress rule with source IPv4 ranges 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 , priority 1001 , and goto_next action.

    Predefined Google Threat Intelligence deny rules

    • An ingress rule with source Google Threat Intelligence list iplist-tor-exit-nodes , priority 1002 , and deny action.

    • An ingress rule with source Google Threat Intelligence list iplist-known-malicious-ips , priority 1003 , and deny action.

    • An egress rule with destination Google Threat Intelligence list iplist-known-malicious-ips , priority 1004 , and deny action.

    To learn more about Google Threat Intelligence, see Google Threat Intelligence for firewall policy rules .

    Predefined geolocation deny rules

    • An ingress rule with source matching geolocations CU , IR , KP , SY , XC , and XD , priority 1005 , and deny action.

    To learn more about geolocations, see Geolocation objects .

    Lowest possible priority goto-next rules

    You cannot modify or delete the following rules:

    • An egress rule with destination IPv6 range ::/0 , priority 2147483644 , and goto_next action.

    • An ingress rule with source IPv6 range ::/0 , priority 2147483645 , and goto_next action.

    • An egress rule with destination IPv4 range 0.0.0.0/0 , priority 2147483646 , and goto_next action.

    • An ingress rule with source IPv4 range 0.0.0.0/0 , priority 2147483647 , and goto_next action.

    What's next
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: