Firewall policies and rules (original) (raw)

A firewall rule in Cloud Next Generation Firewall determines whether to allow or deny traffic within a Virtual Private Cloud (VPC) network based on defined criteria. A Cloud NGFW firewall policy lets you group several firewall rules so that you can update them all at once, effectively controlled by Identity and Access Management (IAM) roles.

This document provides an overview of the different types of firewall policies and firewall policy rules.

Cloud NGFW supports the following types of firewall policies:

Hierarchical firewall policies

Hierarchical firewall policies let you group rules into a policy object that can apply to many VPC networks in one or more projects. You can associate hierarchical firewall policies with an entireorganizationor individualfolders.

For hierarchical firewall policy specifications and details, seeHierarchical firewall policies.

Global network firewall policies

Global network firewall policies let you group rules into a policy object that can apply to all regions of a VPC network.

For global network firewall policy specifications and details, seeGlobal network firewall policies.

Regional network firewall policies

Regional network firewall policies let you group rules into a policy object that can apply to a specific region of a VPC network.

For regional firewall policy specifications and details, seeRegional network firewall policies.

Regional system firewall policies

Regional system firewall policies are similar to regional network firewall policies, but they are managed by Google. Regional system firewall policies have the following characteristics:

Network profile interaction

Regular VPC networks support firewall rules in hierarchical firewall policies, global network firewall policies, regional network firewall policies, and VPC firewall rules. All firewall rules are programmed as part of the Andromeda network virtualization stack.

VPC networks that use certain network profiles restrict the firewall policies and rule attributes that you can use. For RoCE VPC networks, see Cloud NGFW for RoCE VPC networks instead of this page.

Firewall policy rules

In Google Cloud, a firewall policy rule has a direction that determines whether it controls traffic coming into your network or traffic leaving it. Each firewall policy rule applies to either incoming (ingress) or outgoing (egress) connections.

Ingress rules

Ingress direction refers to the incoming connections sent from specific sources to Google Cloud targets. Ingress rules apply to inbound packets that arrive on the following types of targets:

An ingress rule with a deny action protects targets by blocking incoming connections to them. If a rule with a higher priority allows traffic, the firewall permits it and ignores any lower priority rules that might deny that same traffic. Remember, higher priority rules always take precedence.

An automatically created default network includes some pre-populated VPC firewall rules, which allow ingress for certain types of traffic.

Egress rules

Egress direction refers to the outbound traffic sent from a target Google Cloud resource, such as a VM network interface, to a destination.

An egress rule with an allow action lets an instance send traffic to the destinations specified in the rule. Egress traffic is blocked if it matches a high priority deny rule. This action takes precedence over any lower priority rules that might allow the traffic. Google Cloud also blocks or limits certain kinds of traffic.

What's next