Regional network firewall policies (original) (raw)

Regional network firewall policies are collections of firewall rules that apply to a single region of one or more VPC networks.

Specifications

Regional network firewall policies are per-project, per-region objects that contain firewall rules. To apply the rules to a region of a VPC network, you associate the regional network firewall policy with a VPC network. After a policy is associated, its rules are enforced within the policy's region of the VPC network.

The following specifications apply to regional network firewall policies and their VPC network associations:

• Regional network firewall policies support both regular VPC networks and Remote Direct Memory Access (RDMA) over converged ethernet (RoCE) VPC networks.
  • For more information about rules that you can use in a regional network firewall policy associated with a regular VPC network, see Firewall policy rule components.
  • For more information about rules that you can use in a regional network firewall policy associated with an RoCE VPC network, seeCloud NGFW for RoCE VPC networks.
• You can associate a regional network firewall policy with one or more VPC networks. The associated networks must match the policy type, and each associated VPC network must be in the same project as the regional network firewall policy.
  • For VPC_POLICY, associate the regional network policy with regular VPC networks.
  • For RDMA_ROCE_POLICY, associate the regional network policy with RoCE VPC networks.

Cloud NGFW also supports regional system firewall policies, which share the same specifications as regional network firewall policies, but contain read-only rules. For information about how rules in regional system firewall policies work with other firewall rules, see the Firewall rule evaluation process.

Predefined rules

When you create a regional network firewall policy, Cloud Next Generation Firewall adds predefined rules with the lowest priority to the policy. These rules are applied to any connections that don't match an explicitly defined rule in the policy, causing such connections to be passed down to lower-level policies or network rules.

To learn about the various types of predefined rules and their characteristics, see Predefined rules for firewall policies.

Identity and Access Management (IAM) roles

For details about IAM roles that govern the actions to create and manage regional network firewall policies, see Use regional network firewall policies.