Use global network firewall policies to protect Envoy-based load balancers

To restrict traffic to the managed Envoy proxies in a proxy-only subnet, you can configure global network firewall policies to protect internal Application Load Balancers and internal proxy Network Load Balancers.

This document describes how to set up a global network firewall policy rule that applies to internal Application Load Balancers and internal proxy Network Load Balancers.

Internal Application Load Balancers and internal proxy Network Load Balancers have the following firewall rule requirements and options:

  • Firewall rules that apply to the load balancer backends: If you use instance groups or GCE_VM_IP_PORT zonal Network Endpoint Groups (NEG) backends, you must configure firewall rules that allow the managed Envoy proxies to connect to the backend VMs.

  • Firewall rules that apply to the managed Envoy proxies: These rules provide optional access control for load balancer forwarding rules. This is useful if the load balancer uses regional internet NEGs or Private Service Connect NEGs.

Create the load balancing resources

Before you configure firewall rules and policies, set up the required load balancing resources. These resources include a Virtual Private Cloud (VPC) network, subnets, a load balancer with backends and a forwarding rule, and a client VM instance for testing connectivity.

To create and configure the resources for your chosen load balancer, see the following documents:

After you create the resources, note the following details. Use these details to configure firewall rules and policies later on this page:

  • The name and IP address of the forwarding rule
  • The name of the VPC network
  • The source IP address that connects to the load balancer. For testing, this address can be the IP address of the test VM instance that you created to verify connectivity with the load balancer.

Create Cloud NGFW resources

  1. Create a global network firewall policy. For more information, see Create a global network firewall policy.

  2. Associate the firewall policy with the VPC network.

    To apply firewall policy rules to a load balancer forwarding rule, you must associate the policy with the VPC network that contains the forwarding rule. Associating the policy activates the rules on that network.

  3. To control traffic that reaches the load balancer, create ingress firewall rules in a global network firewall policy. Unlike VM targets, ingress is allowed when no firewall rules apply to the managed Envoy proxies used by internal Application Load Balancers and internal proxy Network Load Balancers. To restrict access to one or more load balancer forwarding rules, you must create ingress firewall firewall rules with the --target-type=INTERNAL_MANAGED_LB parameter:

    • One lower-priority ingress deny firewall rule with --src-ip-ranges=0.0.0.0/0. This sets a baseline that denies all incoming traffic.

    • One or more higher-priority ingress allow firewall rules with --src-ip-ranges that include the following ranges:

    To target a specific forwarding rule, set --target-forwarding-rules to a single load balancer forwarding rule in the supported format. If you want to apply the firewall policy and its rules to internal Application Load Balancers and internal proxy Network Load Balancers of a VPC network, don't specify the --target-forwarding-rules flag.

  4. View firewall logs. For more information, see View logs.