Cloud NGFW for RoCE VPC networks (original) (raw)

Cloud Next Generation Firewall regional network firewall policies can be used by Virtual Private Cloud (VPC) networks that have an associated Remote Direct Memory Access (RDMA) over converged ethernet (RoCE) network profile. RoCE VPC networks are those that are created with an RDMA RoCE network profile.

RoCE VPC networks enable zonal workloads for high performance computing, including AI workloads in Google Cloud. This page describes key differences in Cloud NGFW support for RoCE VPC networks.

Specifications

The following firewall specifications apply to RoCE VPC networks:

• Supported RoCE VPC network type: Support for the Cloud NGFW features described on this page applies only to RoCE VPC networks for VM instances, which are created by using theroce network profile. These Cloud NGFW features aren't supported in RoCE VPC networks for bare metal instances, which are created by using the roce-metal network profile.
• Supported firewall rules and policies: RoCE VPC networks_only_ support firewall rules in regional network firewall policies. They don't support global network firewall policies, hierarchical firewall policies, or VPC firewall rules.
• Region and policy type: to use a regional network firewall policy with an RoCE VPC network, you must create the policy with the following attributes:
  • The region of the firewall policy must contain the zone used by the RoCE network profile of the RoCE VPC network.
  • You must set the firewall policy type of the firewall policy toRDMA_ROCE_POLICY.
    Consequently, a regional network firewall policy can only be used by RoCE VPC networks in a particular region. A regional network firewall policy can't be used by both RoCE VPC networks and regular VPC networks.
• RoCE firewall policy is stateless: RoCE firewall policy processes each packet as an independent unit and doesn't keep track of ongoing connections. Therefore, to ensure two virtual machines (VMs) can communicate, you must create an allow ingress rule in both directions.

Implied firewall rules

RoCE VPC networks use the following implied firewall rules, which are different from the implied firewall rules used by regular VPC networks:

• Implied allow egress
• Implied allow ingress

An RoCE VPC network without any rules in an associated regional network firewall policy allows all egress and ingress traffic. These implied firewall rules don't supportfirewall policy rules logging.

Rule specifications

Rules in a regional network firewall policy with the policy typeRDMA_ROCE_POLICY must meet the following requirements:

• Ingress direction only: the rule's direction must be ingress. You can't create egress firewall rules in a regional network firewall policy whose policy type is RDMA_ROCE_POLICY.
• Target parameter: target secure tags are supported, but target service accounts are not.
• Source parameter: only two of the followingsource parameter valuesare supported:
  • Source IP address ranges (src-ip-ranges) are supported, but the only valid value is 0.0.0.0/0.
  • Source secure tags (src-secure-tags) are fully supported. Using secure tags is the suggested way to segment workloads that are in the same RoCE VPC network.
    Source secure tags and source IP address ranges are mutually exclusive. For example, if you create a rule with src-ip-ranges=0.0.0.0/0, then you can't use source secure tags (src-secure-tags). Other source parameters that are part ofCloud NGFW Standard—source address groups, source domain names, source geolocations, source Google Threat Intelligence lists—aren't supported.
• Action parameter: both allow and deny actions are supported, with the following constraints:
  • An ingress rule with src-ip-ranges=0.0.0.0/0 can use either the ALLOWor DENY action.
  • An ingress rule with a source secure tag can only use the ALLOW action.
• Protocol and port parameters: the only supported protocol is all(--layer4-configs=all). Rules that apply to specific protocols or ports aren't allowed.

Monitoring and logging

Firewall policy rules loggingis supported with the following constraints:

• Logs for ingress allow firewall rules are published once per tunnel establishment and provide 2-tuple packet information.
• Logs for ingress deny firewall rules are published as sampled packets and provide 5-tuple packet information. Logs are published at a maximum rate of once every 5 seconds, and all firewall logs are limited to 4,000 packets per 5 seconds.

Unsupported features

The following features are unsupported:

• Security profiles andfirewall endpoints
• Mirroring rules

Configure RoCE VPC networks

To create firewall rules for an RoCE VPC network, use these guidelines and resources:

• The rules in a regional network firewall policy that an RoCE VPC network uses depend on target and source secure tags. Therefore, ensure that you are familiar withcreate and manage secure tags andbind secure tags to VM instances.
• To create RoCE VPC networks and regional network firewall policies for RoCE VPC networks, seeCreate and manage firewall rules for RoCE VPC networks.
• To control ingress traffic and segment your workloads when you create ingress rules in a regional network firewall policy, use the following steps:
  • Create an ingress deny firewall rule that specifiessrc-ip-ranges=0.0.0.0/0 and applies to all VMs in the RoCE VPC network.
  • Create higher-priority ingress allow firewall rules that specify target secure tags and source secure tags.
• To determine which firewall rules apply to a VM network interface or to view firewall rule logs, seeGet effective firewall rules for a VM interfaceand Use VPC firewall rules logging.

What's next

• RDMA RoCE network profile
• Create and manage firewall rules for RoCE VPC networks