Firewall endpoint overview (original) (raw)

Firewall endpoint is a Cloud Next Generation Firewall resource that enables Layer 7 advanced protection capabilities, such as the URL filtering service and the intrusion detection and prevention service, in your network.

This page provides a detailed overview of firewall endpoints and their capabilities.

Specifications

A firewall endpoint is a zonal resource that you can configure at the organization level or the project level.
- Organization-level firewall endpoints: organization administrators create and manage these endpoints to manage security centrally across your organization.
- Project-level firewall endpoints (Preview): project administrators create and manage these endpoints within a project. You can associate any VPC network in the organization with a project-level endpoint. Create project-level firewall endpoints if you can't obtain organization-level permissions to create organization-level firewall endpoints.
Firewall endpoints perform Layer 7 firewall inspection on the intercepted traffic.
Cloud Next Generation Firewall uses Google Cloud's packet intercept technology to transparently redirect traffic from the Google Cloud workloads in a Virtual Private Cloud (VPC) network to the firewall endpoints.
Packet intercept is a Google Cloud capability that transparently inserts network appliances in the path of selected network traffic without modifying their existing routing policies.
Cloud NGFW redirects the workload traffic in a VPC network to the firewall endpoint only if the Layer 7 inspection is configured to be applied to this flow.
Cloud NGFW adds a VPC network identifier to each packet redirected to the firewall endpoint for Layer 7 inspection. If you have multiple VPC networks with overlapping IP address ranges, this network identifier helps to ensure that each redirected packet is correctly associated with its VPC network.
You can create a firewall endpoint in a zone and attach it to one or more VPC networks to monitor workloads in the same zone. If your VPC network spans multiple zones, you can attach one firewall endpoint in each zone. If you don't attach a firewall endpoint to a VPC network in a specific zone, no Layer 7 inspection is performed on the workload traffic for that zone.
You use firewall endpoint associationto attach a firewall endpoint to a VPC network.
The endpoint and the workloads for which you want to enable Layer 7 inspection must be in the same zone. Creating the firewall endpoint in the same zone as workloads has the following benefits:
- Lower latency. Because firewall endpoints can intercept, inspect, and reinject the traffic back into the network, latency is lower than that of firewall endpoints in different zones.
- No cross-zonal traffic. Keeping traffic within the same zone ensures lower costs.
- More reliable traffic. Keeping traffic within the same zone removes the risk of cross-zonal outages.
Firewall endpoints can process up to 2 Gbps of traffic with Transport Layer Security (TLS) inspection, and 10 Gbps of traffic without TLS inspection. Excessive traffic can overload the endpoint and cause packet losses. To monitor the firewall endpoint's capacity utilization, seefirewall_endpoint network security metrics.
Because the endpoint does not forward unapproved messages, an overloaded endpoint might drop legitimate traffic if it cannot inspect the traffic.
Firewall endpoints can have a per-connection throughput maximum of 250 Mbps of traffic with TLS inspection and 1.25 Gbps of traffic without TLS inspection.
You can create a firewall endpoint that processes jumbo frames up to 8,588 bytes in size. Alternatively, you can create an endpoint without jumbo frame support. For more information, seeSupported packet size.
You can delete a firewall endpoint only when there are no VPC networks associated with it.
Google manages the infrastructure, load balancing, autoscaling, and lifecycle of the firewall endpoints. When you create a firewall endpoint, Google provides a set of dedicated virtual machine (VM) instances, which ensures reliability, performance, and security isolation for your traffic, along with certificate management.
Google provides high availability by using proper failover mechanisms for the firewall endpoints, which ensures reliable firewall protection for all VM instances covered within the attached VPC network.

Firewall endpoint associations

Firewall endpoint association links a firewall endpoint to a VPC network in the same zone. After you define this association, Cloud NGFW forwards the zonal workload traffic in your VPC network that requires Layer 7 inspection to the attached firewall endpoint.

You can associate a VPC network with an organization-level or a project-level firewall endpoint (Preview). To associate a VPC network, consider the following:

Cross-project association: if the endpoint and VPC network are in different projects, both projects must belong to the same organization.
Zonal limit: associate a VPC network with only one firewall endpoint per zone. This limit includes both organization-level and project-level endpoints.

Traffic interception by project-level firewall endpoints

To intercept and inspect traffic by using a project-level firewall endpoint, ensure that the following requirements are met:

A VPC network in the VM instance's zone is associated with the target firewall endpoint.
The traffic matches a firewall policy rule with theapply_security_profile_group action.
The security profile group exists in the same project as the firewall endpoint.

Supported packet size

A firewall endpoint either supports or doesn't support jumbo frames.

A firewall endpoint with jumbo frame support can accept packets up to 8,588 bytes.
Cloud NGFW reserves an additional 308 bytes forGENEVE encapsulation(needed for data inspection) and for other extensions. Therefore, the total packet size of 8,896 bytes matches the highest possible maximum transmission unit (MTU) that Google Cloud supports.
A firewall endpoint without jumbo frame support can accept packets up to 1,460 bytes.

To perform Layer 7 inspection successfully,configure the VPC networksassociated with the endpoint to follow these MTU limits:

For an endpoint with jumbo frame support, make sure the VPC networks use an MTU of 8,588 bytes or less.
For an endpoint without jumbo frame support, make sure the VPC networks use an MTU of 1,460 bytes or less.

You can create a firewall endpoint with or without jumbo frame support. However, you cannot reconfigure an existing endpoint to either add or remove jumbo frame support. To add or remove jumbo frame support, delete the endpoint and recreate it. For more information, seeCreate a firewall endpoint.

Identity and Access Management roles

Identity and Access Management (IAM) roles govern the following actions for managing the firewall endpoints:

Creating a firewall endpoint in an organization or a project
Modifying or deleting a firewall endpoint in an organization or a project
Viewing details of a firewall endpoint in an organization or a project
Viewing all the firewall endpoints configured in an organization or a project

To manage organization-level endpoints, you must have the Firewall Endpoint Admin role (roles/networksecurity.firewallEndpointAdmin)granted at the organization level. To manage project-level endpoints, you must have the Firewall Endpoint Admin role (roles/networksecurity.firewallEndpointAdmin)granted at the project level (Preview) or its parent organization.

The following table describes the roles that are necessary for each step.

Ability	Necessary role
Create a new firewall endpoint	Any of the following roles on the organization or the project where the firewall endpoint exists: Compute Network Admin (roles/compute.networkAdmin) Firewall Endpoint Admin (roles/networksecurity.firewallEndpointAdmin) at the organization level for organization-level firewall endpoints, and at either the project (Preview) or organization level for firewall endpoints.
Modify an existing firewall endpoint	Any of the following roles on the organization or the project where the firewall endpoint is created: Compute Network Admin (roles/compute.networkAdmin) Firewall Endpoint Admin (roles/networksecurity.firewallEndpointAdmin) at the organization level for organization-level firewall endpoints, and at either the project (Preview) or organization level for firewall endpoints.
View details about the firewall endpoint	Any of the following roles on the organization or the project where the firewall endpoint exists: Compute Network Admin (roles/compute.networkAdmin) Compute Network User (roles/compute.networkUser) Compute Network Viewer (roles/compute.networkViewer) Firewall Endpoint Admin (roles/networksecurity.firewallEndpointAdmin) at the organization level for organization-level firewall endpoints, and at either the project (Preview) or organization level for firewall endpoints.
View all the firewall endpoints	Any of the following roles on the organization or the project where the firewall endpoint exists: Compute Network Admin (roles/compute.networkAdmin) Compute Network User (roles/compute.networkUser) Compute Network Viewer (roles/compute.networkViewer) Firewall Endpoint Admin (roles/networksecurity.firewallEndpointAdmin) at the organization level for organization-level firewall endpoints, and at either the project (Preview) or organization level for firewall endpoints.

IAM roles govern the following actions for the firewall endpoint associations:

Creating a firewall endpoint association in a project
Modifying or deleting a firewall endpoint association
Viewing details of a firewall endpoint association
Viewing all the firewall endpoint associations configured in a project