Some or all of the information on this page might not apply to Cloud de Confiance by S3NS. See Differences from Google Cloud for more details.

Use regional network firewall policies to protect internal Application Load Balancers and internal proxy Network Load Balancers

You can configure rules in Cloud Next Generation Firewall (Cloud NGFW) firewall policies that apply to managed Envoy proxies used by internal Application Load Balancer and internal proxy Network Load Balancer. These proxies run in a proxy-only subnet.

Internal Application Load Balancers and internal proxy Network Load Balancers have the following firewall rule requirements and options:

Firewall rules that apply to the load balancer backends: If you use instance group or GCE_VM_IP_PORT zonal Network Endpoint Group (NEG) backends, you must configure firewall rules that allow the managed Envoy proxies to connect to the backend VMs.
Firewall rules that apply to the managed Envoy proxies: These firewall rules apply to the managed Envoy proxies. The rules provide optional access control to load balancer forwarding rules, which is useful when the load balancer uses regional internet NEGs or Private Service Connect NEGs.

This document describes how to set up the firewall rules that apply to the managed Envoy proxies.

Create the load balancing resources

Before you configure firewall rules and policies, set up the load balancing resources, such as a Virtual Private Cloud (VPC) network, subnets, a load balancer with its backends and a forwarding rule, and a client VM instance for testing connectivity.

To create and configure the resources for your chosen load balancer, see the following documents:

After creating the resources, record the following details. You will use these details to configure firewall rules and policies later in this document:

The region of the load balancer
The name and IP address of the forwarding rule
The name of the VPC network
The name, zone, and IP address of the client VM instance that you created to test load balancer connectivity

Create Cloud NGFW resources

Create a regional network firewall policy in the same region as the load balancer. For more information, see Create a regional network firewall policy.
Associate the firewall policy with the VPC network.

For a firewall policy's rules to apply to a load balancer forwarding rule, you must associate the policy with the VPC network where that forwarding rule exists. This association activates the firewall policy's rules on the VPC network.
To control the traffic that reaches the load balancer, create ingress firewall rules in a regional network firewall policy. Unlike VM targets, ingress is allowed when no firewall rules apply to the managed Envoy proxies used by internal Application Load Balancers and internal proxy Network Load Balancers. To restrict access to one or more load balancer forwarding rules, you must create ingress firewall firewall rules with the --target-type=INTERNAL_MANAGED_LB parameter:
- One lower-priority ingress deny firewall rule with --src-ip-ranges=0.0.0.0/0. This sets a baseline that denies all incoming traffic.
- One or more higher-priority ingress allow firewall rules with --src-ip-ranges that include the following ranges:
  - The IP addresses of the approved clients.
  - The IP addresses of the Google health check probes. For more information, see Probe IP ranges for select managed Envoy-based load balancer frontends in the Health checks overview.
To target a specific forwarding rule, set --target-forwarding-rules to a single load balancer forwarding rule in the supported format. If you want to apply the firewall policy and its rules to internal Application Load Balancers and internal proxy Network Load Balancers of a VPC network, don't specify the --target-forwarding-rules flag.
View firewall logs. For more information, see View logs.