Cloud NGFW tiers (original) (raw)
Cloud Next Generation Firewall features are available in three tiers: Essentials, Standard, and Enterprise. These tiers group specific Cloud NGFW capabilities by their pricing.
You don't choose or subscribe to a Cloud NGFW tier. Instead, you enable the features that you need in your firewall rules, and Google Cloud charges you based on the tiers of features you use. You incur charges for a higher tier only when network traffic is evaluated against a rule that uses features from that tier. For more information, see Cloud NGFW pricing.
This document provides an overview of Cloud NGFW tiers and their features.
Cloud NGFW tiers and features
The Cloud NGFW tier system is designed to give you granular control over your security spending. You can apply firewall capabilities from any tier to hierarchical firewall policies, global network firewall policies, and regional network firewall policies.
Cloud NGFW Essentials
Cloud NGFW Essentials provides foundational features, including baseline security and internal segmentation.
Cloud NGFW Essentials includes the following features:
- Secure tags provide micro-segmentation and fine-grained control of your Google Cloud resources. Secure tags are managed centrally with unique IDs and strict IAM control. You can reference these secure tags in firewall rules for tighter, uniform access control across your regions, network, and hierarchy.
- Address groups combine multiple IP addresses and IP ranges into a single named logical unit. You can use the same address group in multiple firewall rules to define ingress sources or egress destinations.
- VPC firewall rules can use network tags and service accounts filter incoming and outgoing traffic at the network level.
Cloud NGFW Standard
Cloud NGFW Standard tier provides advanced features, such as fully qualified domain name (FQDN) objects and threat intelligence. For the Standard tier, you are only charged for north-south traffic (traffic between VM instances and Internet) for the traffic that is evaluated by the Standard tier features.
Cloud NGFW Standard includes the following features:
- Fully qualified domain name (FQDN) objectslet you define ingress sources or egress destinations using domain names instead of IP addresses.
- Geolocation objects let you define ingress sources or egress destinations using the geolocation of an IP address.
- Google Threat Intelligence let you secure your network by allowing or blocking traffic based on Google Threat Intelligence data lists. Google Threat Intelligence lists are Google-maintained collections of IP addresses belonging to threat actors or systems.
Cloud NGFW Enterprise
Cloud NGFW Enterprise includes the most advanced features of Cloud NGFW. For the Enterprise tier, you are charged for both north-south traffic (traffic between VM instances and Internet) and east-west traffic (traffic among resources within a VPC network).
When a connection is evaluated by a firewall policy rule containing Cloud NGFW Enterprise features, you incur additional charges based on the following components:
- An hourly charge for each deployed firewall endpoint.
- A per-gigabyte charge for the traffic that is inspected.
Cloud NGFW Enterprise includes the following features:
- Signature-based intrusion detection and prevention servicewith Transport Layer Security (TLS)interception and decryption, which provides threat detection and prevention from malware, spyware, and command-and-control attacks on your network.
- URL filtering service with Transport Layer Security (TLS) inspection, which lets you control access to websites and webpages by blocking or allowing their URLs. While FQDN filtering only sees the resolved IP address at the network layer, URL filtering operates at the application layer to inspect the full URL path. This lets you block or allow access to specific websites and individual sub-pages, rather than just the entire domain.
Feature categorization by tier
The following table summarises Cloud NGFW features and their billing tier.
| Feature | Tier |
|---|---|
| Stateful inspection | Essentials |
| Secure tags | Essentials |
| Address groups | Essentials |
| VPC firewall rules | Essentials |
| FQDN objects | Standard |
| Geolocation objects | Standard |
| Threat intelligence | Standard |
| Intrusion detection and prevention service | Enterprise |
| URL filtering service | Enterprise |
| TLS inspection | Enterprise |
Pricing
Each Cloud NGFW tier is priced differently. In a firewall policy, you can use rules with features from a single tier or combine rules with features from multiple tiers. When a single rule uses features from multiple tiers, Google Cloud bills the traffic at the rate of the highest tier used. For example, if a firewall rule includes both Standard and Enterprise features, Cloud NGFW evaluates the matching traffic at the Enterprise rate.
Cloud NGFW doesn't charge you twice for the same traffic flow, even if the flow is evaluated by multiple rules. You pay primarily for data processing of traffic to and from VM instances. These charges apply when a firewall rule evaluates traffic, regardless of whether the rule allows or denies it.
You pay for the data processing of traffic that is evaluated by firewall rules containing features from different tiers. To understand pricing for different scenarios, see Cloud NGFW pricing.