This page provides key terminology that applies to Cloud Next Generation Firewall. Review these terms to better understand how Cloud NGFW works and the concepts on which it is built.
Address groups
Address groups are a logical collection of either IPv4 address ranges or IPv6 address ranges in CIDR format. You can use address groups to define consistent sources or destinations referenced by many firewall rules. For more information about address groups, see Address groups for firewall policies.
CIDR format
Classless Inter-Domain Routing (CIDR) format or notation is a method for representing an IP address and its subnet. It is an alternative to writing out an entire subnet mask. It consists of an IP address, followed by a forward slash (/), and a number. The number indicates the number of bits in the IP address that define the network portion.
Cloud NGFW
Cloud Next Generation Firewall is a fully distributed firewall service with advanced protection capabilities, micro-segmentation, and pervasive coverage to help protect your Trusted Cloud by S3NS workloads from internal and external attacks. Cloud NGFW is available in two tiers: Cloud Next Generation Firewall Essentials and Cloud Next Generation Firewall Standard. For more information, see Cloud NGFW overview.
Cloud NGFW Essentials
Cloud Next Generation Firewall Essentials is the foundational firewall service offered by Trusted Cloud. It includes features and capabilities such as global network firewall policies and regional network firewall policies, Identity and Access Management (IAM)-governed Tags, Address groups, and Virtual Private Cloud (VPC) firewall rules. For more information, see Cloud NGFW Essentials overview.
Cloud NGFW Standard
Cloud NGFW Standard extends the Cloud NGFW Essentials features to provide enhanced capabilities to help protect your cloud infrastructure from malicious attacks.
It includes features and capabilities such as fully qualified domain name (FQDN) objects and geolocation objects in firewall policy rules.
Firewall rules
Firewall rules are the building blocks of network security. A firewall rule controls incoming or outgoing traffic to a virtual machine (VM) instance. By default, incoming traffic is blocked. For more information, see Firewall policies.
Firewall Rules Logging
Firewall Rules Logging lets you audit, verify, and analyze the effects of your firewall rules. For example, you can determine whether a firewall rule designed to deny traffic is functioning as intended. Firewall Rules Logging is also useful if you need to determine how many connections are affected by a given firewall rule. For more information, see Firewall Rules Logging.
Firewall policies
Firewall policies let you group several firewall rules so that you can update them all at once, effectively controlled by IAM roles. Firewall policies are of three types, Hierarchical firewall policies, global network firewall policies, and regional network firewall policies. For more information, see Firewall policies.
Firewall policy rules
When you create a firewall policy rule, you specify a set of components that define what the rule does. These components specify traffic direction, source, destination, and Layer 4 characteristics such as protocol and destination port (if the protocol uses ports). These components are called firewall policy rules. For more information, see Firewall policy rules.
FQDN objects
A fully qualified domain name (FQDN) is the complete name of a specific
resource on the internet. For example, cloud.google.com. FQDN objects in
firewall policy rules filter incoming or outgoing traffic from or to a specific
domain name. Based on the traffic direction, the IP addresses associated with
the domain names are matched against the source or destination of the
traffic. For more information, see
FQDN objects.
Geolocation objects
Use geolocation objects in firewall policy rules to filter external IPv4 and external IPv6 traffic based on specific geographic locations or regions. You can use geolocation objects along with other source or destination filters. For information, see Geolocation objects.
Global network firewall policies
Global network firewall policies let you group rules into a policy object applicable to all regions (global). After you associate a global network firewall policy with a VPC network, the rules in the policy can apply to resources in the VPC network. For global network firewall policy specifications and details, see Global network firewall policies.
Hierarchical firewall policies
Hierarchical firewall policies let you group rules into a policy object that can apply to many VPC networks in one or more projects. You can associate Hierarchical firewall policies with an entire organization or individual folders. For Hierarchical firewall policies specifications and details, see Hierarchical firewall policies.
Identity and Access Management
Trusted Cloud's IAM lets you grant granular access to specific Trusted Cloud resources and helps prevent access to other resources. IAM lets you adopt the security principle of least privilege, which states that nobody should have more permissions than they actually need. For more information, see IAM overview.
Implied rules
Every VPC network has two implied IPv4 firewall rules. If IPv6 is enabled in a VPC network, the network also has two implied IPv6 firewall rules. These rules are not shown in the Trusted Cloud console.
Implied IPv4 firewall rules are present in all VPC networks, regardless of how the networks are created or whether they are auto mode or custom mode VPC networks. The default network has the same implied rules. For more information, see Implied rules.
Network firewall policies
Network firewall policies also known as Firewall policies, let you group several firewall rules so that you can update them all at once, effectively controlled by IAM roles. These policies contain rules that can explicitly deny or allow connections, as do VPC firewall rules. This includes global and regional network firewall policies. For more information, see Firewall policies.
Network tags
A network tag is a character string that is added to a tags field in a resource such as Compute Engine VM instances or instance templates. A tag is not a separate resource, so you cannot create it separately. All resources with that string are considered to have that tag. Tags let you make VPC firewall rules and routes applicable to specific VM instances.
Policy inheritance
By default, organization policies are inherited by the descendants of the resources on which you enforce the policy. For example, if you enforce a policy on a folder, Trusted Cloud enforces the policy on all projects in the folder. To learn more about this behavior and how to change it, see Hierarchy evaluation rules.
Priority
The priority of a rule in a firewall policy is an integer from 0 to 2,147,483,647, inclusive. Lower integers indicate higher priorities. For more information, see Priority.
Regional network firewall policies
Regional network firewall policies let you group rules into a policy object that is applicable to a specific region. After you associate a regional network firewall policy with a VPC network, the rules in the policy can apply to resources within that region of the VPC network. For regional firewall policy specifications and details, see Regional network firewall policies.
Server Name Indication
Server Name Indication (SNI) is an extension to the TLS computer networking protocol. SNI lets multiple HTTPS sites share an IP and TLS certificate, which is more efficient and cost effective because you don't need individual certificates for each website on the same server.
Tags
The Trusted Cloud resource hierarchy is a way to organize your resources into a tree structure. This hierarchy helps you manage resources at scale, but it models only a few business dimensions, including organization structure, regions, workload types, and cost centers. The hierarchy lacks the flexibility to layer multiple business dimensions together.
Tags provide a way to create annotations for resources, and in some cases conditionally allow or deny policies based on whether a resource has a specific tag. You can use tags and conditional enforcement of policies for fine-grained control across your resource hierarchy.
Tags are different from network tags. For more information about the differences between Tags and network tags, see Comparison of Tags and network tags.
Tags for firewall
Tags are also referred to as secure tags. Tags let you define sources and targets in global network firewall policies and regional network firewall policies. Tags are different from network tags. Network tags are simple strings, not keys and values, and don't offer any kind of access control. For more information about the differences between Tags and network tags and what products support each one, see Comparison of Tags and network tags.
VPC firewall rules
VPC firewall rules let you allow or deny connections to or from VM instances in your VPC network. Enabled VPC firewall rules are always enforced, which helps protect your instances regardless of their configuration and operating system, even if they have not started up. These rules apply to a given project and network. For more information, see VPC firewall rules.
What's next
- For conceptual information about Cloud NGFW, see Cloud NGFW overview.
- For conceptual information about firewall policy rules, see Firewall policy rules.
- To create, update, monitor, or delete VPC firewall rules, see Use VPC firewall rules.