Manage regional network firewall policies (original) (raw)
To control network traffic within specific regions, use regional network firewall policies and their rules. This page provides instructions to clone, list, describe, view, update, and delete regional network firewall policy associations and rules.
Before you read this page, ensure you are familiar with the concepts described in theRegional network firewall policies.
Firewall policy tasks
This section describes how to manage regional network firewall policies.
Describe a regional network firewall policy
You can view details about a regional network firewall policy, including the policy rules and associated rule attributes. All these rule attributes are counted as part of the rule attribute quota. For more information, see "Rule attributes per regional network firewall policy" in the Per firewall policy table. In addition, you can view the priorities of the existing VPC network associations.
Permissions required for this task
To perform this task, you must have been granted the following permissions_or_ one of the following IAM roles.
Permissions
compute.regionFirewallPolicies.get
Roles
- Compute Network Admin (
roles/compute.networkAdmin) on the firewall policy or project containing the firewall policy or - Compute Security Admin (
roles/compute.securityAdmin) on the firewall policy or project containing the firewall policy
Console
- In the Google Cloud console, go to the Firewall policies page.
Go to Firewall policies - In the project selector menu, select your project that contains the regional network firewall policy.
- Click your policy.
gcloud
gcloud compute network-firewall-policies describe POLICY_NAME
--region=REGION_NAME
Update a regional network firewall policy description
The only policy field that can be updated is the Description field.
Permissions required for this task
To perform this task, you must have been granted the following permissions_or_ one of the following IAM roles.
Permissions
compute.regionFirewallPolicies.update
Roles
- Compute Security Admin (
roles/compute.securityAdmin) on the firewall policy or project containing the firewall policy
Console
- In the Google Cloud console, go to the Firewall policies page.
Go to Firewall policies - In the project selector menu, select your project that contains the regional network firewall policy.
- Click your policy.
- Click Edit.
- In the Description field, modify the description.
- Click Save.
gcloud
gcloud compute network-firewall-policies update POLICY_NAME
--description DESCRIPTION
--region=REGION_NAME
List regional network firewall policies
Permissions required for this task
To perform this task, you must have been granted the following permissions_or_ one of the following IAM roles.
Permissions
compute.regionFirewallPolicies.list
Roles
- Compute Network Admin (
roles/compute.networkAdmin) on the firewall policy or project containing the firewall policy or - Compute Security Admin (
roles/compute.securityAdmin) on the firewall policy or project containing the firewall policy
Console
- In the Google Cloud console, go to the Firewall policies page.
Go to Firewall policies - In the project selector menu, select your project that contains the policy.
The Network firewall policies section shows the policies available in your project.
gcloud
gcloud compute network-firewall-policies list
--regions=LIST_OF_REGIONS
Replace LIST_OF_REGIONS with a comma-separated list of regions for which you want to list the policies.
Delete the network association
To stop enforcement of a firewall policy on a network, delete the association.
However, if you intend to swap out one firewall policy for another, you need not delete the existing association first. Deleting that association leaves a period of time where neither policy is enforced. Instead, replace the existing policy when youassociate a new policy.
To delete an association between a regional network firewall policy and a region of a VPC network, follow the steps mentioned in this section. Rules in the regional network firewall policy don't apply to new connections after its association is deleted.
Permissions required for this task
To perform this task, you must have been granted the following permissions_or_ one of the following IAM roles.
Permissions
compute.regionFirewallPolicies.use
Roles
- Compute Security Admin (
roles/compute.securityAdmin) on the project containing the network
Console
- In the Google Cloud console, go to the Firewall policies page.
Go to Firewall policies - In the project selector menu, select your project or the folder that contains the policy.
- Click your policy.
- Click the Associations tab.
- Select the association that you want to delete.
- Click Remove association.
gcloud
gcloud compute network-firewall-policies associations delete
--name ASSOCIATION_NAME
--firewall-policy POLICY_NAME
--firewall-policy-region=POLICY_REGION
Delete a regional network firewall policy
Before you can delete a regional network firewall policy, you must delete all of its associations.
Permissions required for this task
To perform this task, you must have been granted the following permissions_or_ one of the following IAM roles.
Permissions
compute.regionFirewallPolicies.delete
Roles
- Compute Security Admin (
roles/compute.securityAdmin) on the firewall policy or project containing the firewall policy
Console
- In the Google Cloud console, go to the Firewall policies page.
Go to Firewall policies - In the project selector menu, select your project that contains the policy.
- Click the policy that you want to delete.
- Click the Associations tab.
- Select all associations.
- Click Remove association.
- After all associations are removed, click Delete.
gcloud
Use the following command to delete the policy:
gcloud compute network-firewall-policies delete POLICY_NAME
--region=REGION_NAME
Replace the following:
POLICY_NAME: the name of the regional network firewall policy.REGION_NAME: the region of the regional network firewall policy.
Firewall policy rule tasks
This section describes how to manage regional network firewall policy rules.
Clone rules from one policy to another
Cloning copies the rules from a source policy to a target policy, replacing all existing rules in the target policy.
Permissions required for this task
To perform this task, you must have been granted the following permissions_or_ one of the following IAM roles.
Permissions
compute.regionFirewallPolicies.cloneRules
Roles
- Compute Security Admin (
roles/compute.securityAdmin) on the firewall policy or project containing the firewall policy
Console
- In the Google Cloud console, go to the Firewall policies page.
Go to Firewall policies - In the project selector menu, select your project that contains the policy.
- Click the policy that you want to copy rules from.
- Click Clone at the top of the screen.
- Provide the name of a target policy.
- If you want to associate the new policy immediately, clickContinue > Associate.
- In the Associate policy with VPC networks page, select the networks and click Associate.
- Click Continue.
- Click Clone.
gcloud
gcloud compute network-firewall-policies clone-rules TARGET_POLICY
--region=TARGET_POLICY_REGION
--source-firewall-policy=SOURCE_POLICY
Replace the following:
TARGET_POLICY: the name of the target policy.TARGET_POLICY_REGION: the region of the target policy.SOURCE_POLICY: the URL of the source policy.
Describe a rule
Permissions required for this task
To perform this task, you must have been granted the following permissions_or_ one of the following IAM roles.
Permissions
compute.regionFirewallPolicies.get
Roles
- Compute Network Admin (
roles/compute.networkAdmin) on the firewall policy or project containing the firewall policy or - Compute Security Admin (
roles/compute.securityAdmin) on the firewall policy or project containing the firewall policy
Console
- In the Google Cloud console, go to the Firewall policies page.
Go to Firewall policies - In the project selector menu, select your project that contains the policy.
- Click your policy.
- Click the priority of the rule.
gcloud
gcloud compute network-firewall-policies rules describe PRIORITY
--firewall-policy=POLICY_NAME
--firewall-policy-region=POLICY_REGION
Replace the following:
PRIORITY: the priority number that uniquely identifies the rule.POLICY_NAME: the name of the policy that contains the rule.POLICY_REGION: the region of the policy that contains the rule.
Update a rule
Permissions required for this task
To perform this task, you must have been granted the following permissions_or_ one of the following IAM roles.
Permissions
compute.regionFirewallPolicies.getcompute.regionFirewallPolicies.update
Roles
- Compute Security Admin (
roles/compute.securityAdmin) on the firewall policy or project containing the firewall policy
Console
- In the Google Cloud console, go to the Firewall policies page.
Go to Firewall policies - In the project selector menu, select your project that contains the regional network firewall policy.
- Click the name of the regional network firewall policy that contains the rule to update.
- Click the priority of the rule.
- Click Edit.
- Modify the firewall rule fields that you want to change. For descriptions about each field, see one of the following:
- Click Save.
gcloud
gcloud compute network-firewall-policies rules update PRIORITY
--firewall-policy=POLICY_NAME
--firewall-policy-region=POLICY_REGION
[...other flags that you want to modify...]
Replace the following:
PRIORITY: the priority number that uniquely identifies the rule.POLICY_NAME: the name of the policy that contains the rule.POLICY_REGION: the region of the policy that contains the rule.
Supply the flags that you want to modify. For flag descriptions, see one of the following:
- Create an ingress rule for VM targets
- Create an ingress rule for internal Application Load Balancer and internal proxy Network Load Balancer targets
- Create an egress rule for VM targets
Delete a rule
Deleting a rule from a policy causes the rule to no longer apply to new connections to or from the rule's target.
Permissions required for this task
To perform this task, you must have been granted the following permissions_or_ one of the following IAM roles.
Permissions
compute.regionFirewallPolicies.update
Roles
- Compute Security Admin (
roles/compute.securityAdmin) on the firewall policy or project containing the firewall policy
Console
- In the Google Cloud console, go to the Firewall policies page.
Go to Firewall policies - In the project selector menu, select your project that contains the policy.
- Click your policy.
- Select the rule that you want to delete.
- Click Delete.
gcloud
gcloud compute network-firewall-policies rules delete PRIORITY
--firewall-policy=POLICY_NAME
--firewall-policy-region=POLICY_REGION
Replace the following:
PRIORITY: the priority number that uniquely identifies the rule.POLICY_NAME: the name of the policy that contains the rule.POLICY_REGION: the region of the policy that contains the rule.
Get effective firewall rules for a region of a network
You can view all hierarchical firewall policy rules, VPC firewall rules, global network firewall policy rules, and regional network firewall policy rules that apply to a specific region of a VPC network.
Permissions required for this task
To perform this task, you must have been granted the following permissions_or_ one of the following IAM roles.
Permissions
compute.networks.getEffectiveFirewallscompute.networks.getRegionEffectiveFirewalls
Roles
- Compute Network User (
roles/compute.networkUser) on the project containing the network or - Compute Network Viewer (
roles/compute.networkViewer) on the project containing the network or - Compute Security Admin (
roles/compute.securityAdmin) on the project containing the network or - Compute Viewer (
roles/compute.viewer) on the project containing the network
gcloud
gcloud compute network-firewall-policies get-effective-firewalls
--region=REGION_NAME
--network=NETWORK_NAME
Replace the following:
REGION_NAME: the region for which you want to view the effective rules.NETWORK_NAME: the network for which you want to view the effective rules.