To restrict traffic to the managed Envoy proxies in a proxy-only subnet, you can configure global network firewall policies to protect internal Application Load Balancers and internal proxy Network Load Balancers.
This document describes how to set up a global network firewall policy rule that applies to internal Application Load Balancers and internal proxy Network Load Balancers.
Internal Application Load Balancers and internal proxy Network Load Balancers have the following firewall rule requirements and options:
Firewall rules that apply to the load balancer backends: If you use instance groups or
GCE_VM_IP_PORTzonal Network Endpoint Groups (NEG) backends, you must configure firewall rules that allow the managed Envoy proxies to connect to the backend VMs.Firewall rules that apply to the managed Envoy proxies: These rules provide optional access control for load balancer forwarding rules. This is useful if the load balancer uses regional internet NEGs or Private Service Connect NEGs.
Create the load balancing resources
Before you configure firewall rules and policies, set up the required load balancing resources. These resources include a Virtual Private Cloud (VPC) network, subnets, a load balancer with backends and a forwarding rule, and a client VM instance for testing connectivity.
To create and configure the resources for your chosen load balancer, see the following documents:
- Set up a cross-region internal Application Load Balancer with VM instance group backends
- Set up a regional internal Application Load Balancer with VM instance group backends
- Set up a cross-region internal proxy Network Load Balancer with VM instance group backends
- Set up a regional internal proxy Network Load Balancer with VM instance group backends
After you create the resources, note the following details. Use these details to configure firewall rules and policies later on this page:
- The name and IP address of the forwarding rule
- The name of the VPC network
- The source IP address that connects to the load balancer. For testing, this address can be the IP address of the test VM instance that you created to verify connectivity with the load balancer.
Create Cloud NGFW resources
Create a global network firewall policy. For more information, see Create a global network firewall policy.
Associate the firewall policy with the VPC network.
To apply firewall policy rules to a load balancer forwarding rule, you must associate the policy with the VPC network that contains the forwarding rule. Associating the policy activates the rules on that network.
To control traffic that reaches the load balancer, create ingress firewall rules in a global network firewall policy. Unlike VM targets, ingress is allowed when no firewall rules apply to the managed Envoy proxies used by internal Application Load Balancers and internal proxy Network Load Balancers. To restrict access to one or more load balancer forwarding rules, you must create ingress firewall firewall rules with the
--target-type=INTERNAL_MANAGED_LBparameter:One lower-priority ingress
denyfirewall rule with--src-ip-ranges=0.0.0.0/0. This sets a baseline that denies all incoming traffic.One or more higher-priority ingress
allowfirewall rules with--src-ip-rangesthat include the following ranges:The IP addresses of the approved clients.
The IP addresses of the Google health check probes. For more information, see Probe IP ranges for select managed Envoy-based load balancer frontends in the Health checks overview.
To target a specific forwarding rule, set
--target-forwarding-rulesto a single load balancer forwarding rule in the supported format. If you want to apply the firewall policy and its rules to internal Application Load Balancers and internal proxy Network Load Balancers of a VPC network, don't specify the--target-forwarding-rulesflag.View firewall logs. For more information, see View logs.