Some or all of the information on this page might not apply to Cloud de Confiance by S3NS. See Differences from Google Cloud for more details.

Firewall policies and rules

A firewall rule in Cloud Next Generation Firewall determines whether to allow or deny traffic within a Virtual Private Cloud (VPC) network based on defined criteria. A Cloud NGFW firewall policy lets you group several firewall rules so that you can update them all at once, effectively controlled by Identity and Access Management (IAM) roles.

This document provides an overview of the different types of firewall policies and firewall policy rules.

Firewall policies

Cloud NGFW supports the following types of firewall policies:

Hierarchical firewall policies
Global network firewall policies
Regional network firewall policies
Regional system firewall policies

Hierarchical firewall policies

Hierarchical firewall policies let you group rules into a policy object that can apply to many VPC networks in one or more projects. You can associate hierarchical firewall policies with an entire organization or individual folders.

For hierarchical firewall policy specifications and details, see Hierarchical firewall policies.

Global network firewall policies

Global network firewall policies let you group rules into a policy object that can apply to all regions of a VPC network.

For global network firewall policy specifications and details, see Global network firewall policies.

Regional network firewall policies

Regional network firewall policies let you group rules into a policy object that can apply to a specific region of a VPC network.

For regional firewall policy specifications and details, see Regional network firewall policies.

Regional system firewall policies

Regional system firewall policies are similar to regional network firewall policies, but they are managed by Google. Regional system firewall policies have the following characteristics:

Cloud de Confiance evaluates rules in regional system firewall policies immediately after evaluating rules in hierarchical firewall policies. For more information, see Firewall rule evaluation process.
You can't modify a rule in a regional system firewall policy, except to enable or disable firewall rule logging.
Cloud de Confiance creates a regional system firewall policy in a region of a VPC network when a Google service requires rules in that region of the network. Cloud de Confiance can associate more than one regional system firewall policy with a region of a VPC network based on the requirements of Google services.
You aren't charged for the evaluation of rules in regional system firewall policies.

Network profile interaction

Regular VPC networks support firewall rules in hierarchical firewall policies, global network firewall policies, regional network firewall policies, and VPC firewall rules. All firewall rules are programmed as part of the Andromeda network virtualization stack.

VPC networks that use certain network profiles restrict the firewall policies and rule attributes that you can use. For RoCE VPC networks, see Cloud NGFW for RoCE VPC networks instead of this page.

Firewall policy rules

In Cloud de Confiance, a firewall policy rule has a direction that determines whether it controls traffic coming into your network or traffic leaving it. Each firewall policy rule applies to either incoming (ingress) or outgoing (egress) connections.

Ingress rules

Ingress direction refers to the incoming connections sent from specific sources to Cloud de Confiance targets. Ingress rules apply to inbound packets that arrive on the following types of targets:

Network interfaces of virtual machine (VM) instances
Managed Envoy proxies that power internal Application Load Balancers and internal proxy Network Load Balancers

An ingress rule with a deny action protects targets by blocking incoming connections to them. If a rule with a higher priority allows traffic, the firewall permits it and ignores any lower priority rules that might deny that same traffic. Remember, higher priority rules always take precedence.

An automatically created default network includes some pre-populated VPC firewall rules, which allow ingress for certain types of traffic.

Egress rules

Egress direction refers to the outbound traffic sent from a target Cloud de Confiance resource, such as a VM network interface, to a destination.

An egress rule with an allow action lets an instance send traffic to the destinations specified in the rule. Egress traffic is blocked if it matches a high priority deny rule. This action takes precedence over any lower priority rules that might allow the traffic. Cloud de Confiance also blocks or limits certain kinds of traffic.

What's next

To create and modify hierarchical firewall policies and rules, see Use hierarchical firewall policies and rules.
To create and modify global network firewall policies and rules, see Use global network firewall policies and rules.
To create and modify regional network firewall policies and rules, see Use regional network firewall policies and rules.