Some or all of the information on this page might not apply to Cloud de Confiance by S3NS. See Differences from Google Cloud for more details.

Manage address groups for firewall policies

To manage address groups, you must first identify the scope of the address group relevant to your requirement. The scope identifies the level at which the address group is applicable in the resource hierarchy.

If you want to use an address group in a firewall policy rule that applies to an individual project, use a project-scoped address group.

If you want to use an address group in a firewall policy rule that is applicable throughout the hierarchy on all resources in an organization or network, use an organization-scoped address group. For more information, see Address groups for firewall policies

Project-scoped address groups

This section provides detailed information about how to manage project-scoped address groups.

Describe an address group

To view the details of an address group, you must specify the name and location of the address group.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

networksecurity.addressGroups.get

Roles

compute.securityAdmin
compute.networkAdmin
compute.networkUser

Console

In the Cloud de Confiance console, go to the Address groups page.

Go to Address groups
In the project selector menu, select your project.
The address groups are listed in the Address groups section.
To view the details, click the name of your address group.

gcloud

To describe an address group, use the gcloud network-security address-groups describe command:

gcloud network-security address-groups describe NAME \
    --location LOCATION

Update an address group

You cannot update the name, type, or capacity of the address group. You can only update the address group description and IP addresses.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.regions.list
networksecurity.addressGroups.update
networksecurity.operations.get

Roles

compute.securityAdmin
compute.networkAdmin

Console

In the Cloud de Confiance console, go to the Address groups page.

Go to Address groups
In the project selector menu, select your project.
The address groups are listed in the Address groups section.
To edit an address group, click the name of your address group.
Click Edit.
Modify the required fields.
Click Save.

gcloud

To update an address group, use the gcloud network-security address-groups update command:

gcloud network-security address-groups update NAME \
    --description DESCRIPTION \
    --location LOCATION

List address groups

You can list all the address groups in a location.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

networksecurity.addressGroups.list

Roles

compute.securityAdmin
compute.networkAdmin
compute.networkUser

Console

In the Cloud de Confiance console, go to the Address groups page.

Go to Address groups
In the project selector menu, select your project.
The address groups are listed in the Address groups section.

gcloud

To list the address groups, use the gcloud network-security address-groups list command:

gcloud network-security address-groups list \
    --location LOCATION

Delete an address group

You can delete an address group by specifying its name and location. However, if the address group is referenced by a firewall policy, that address group cannot be deleted.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

networksecurity.addressGroups.delete
networksecurity.operations.get

Roles

compute.securityAdmin
compute.networkAdmin

Console

In the Cloud de Confiance console, go to the Address groups page.

Go to Address groups
In the project selector menu, select your project.
The address groups are listed in the Address groups section.
Select the checkbox next to the address group that you want to delete. Make sure that the selected address group is not referenced by any firewall policy.
Click Delete, and then click Delete again to confirm.

gcloud

To delete an address group in a project, use the gcloud network-security address-groups delete command:

gcloud network-security address-groups delete NAME \
  --location LOCATION

Find address group references

An address group is used by firewall policies. You can find the list of all the firewall policies that use a specific address group.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

networksecurity.addressGroups.get

Roles

compute.securityAdmin
compute.networkAdmin
compute.networkUser

Console

In the Cloud de Confiance console, go to the Address groups page.

Go to Address groups
In the project selector menu, select your project.
The address groups are listed in the Address groups section.
Click the name of your address group.
In the In use by field, the firewall policies that use this address group are listed in the following format:

POLICY_NAME(rule priority:PRIORITY_NUMBER)

gcloud

To list all the resources that reference a project-scoped address group, use the gcloud network-security address-groups list-references command:

gcloud network-security address-groups list-references NAME \
    --location LOCATION

Add items to an address group

You can add multiple items such as IP addresses or IP ranges to an address group. If the request contains items that are already part of the address groups, those items are ignored. If the request contains invalid items, the entire request fails.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.regions.list
networksecurity.addressGroups.update
networksecurity.operations.get

Roles

compute.securityAdmin
compute.networkAdmin

Console

To add an item to an address group by using Cloud de Confiance console, follow the procedure mentioned in Update an address group.

gcloud

To add items to an address group, use the gcloud network-security address-groups add-items command:

gcloud network-security address-groups add-items NAME \
    --items ITEMS \
    --location LOCATION

Replace the following:

NAME: the name of the address group; you can specify the name as a string or as a unique URL identifier
ITEMS: a comma-separated list of IP addresses or IP ranges in CIDR format
LOCATION: the location of the address group

This can be set to global or a region code (such as europe-west). If you use a unique URL identifier for the name parameter, you can omit the location parameter.

Remove items from an address group

You can remove existing items from an address group. If any of the items in the request are invalid, the request fails. If the request contains items that are not part of the address group, those items are ignored.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

compute.regions.list
networksecurity.addressGroups.update
networksecurity.operations.get

Roles

compute.securityAdmin
compute.networkAdmin

Console

To remove an item from an address group by using Cloud de Confiance console, follow the procedure mentioned in Update an address group.

gcloud

To remove items from an address group, use the gcloud network-security address-groups remove-items command:

gcloud network-security address-groups remove-items NAME \
    --items ITEMS \
    --location LOCATION

Replace the following:

NAME: the name of the address group; you can specify the name as a string or as a unique URL identifier
ITEMS: a comma-separated list of IP addresses or IP ranges in CIDR format to be removed
LOCATION: the location of the address group

This can be set to global or a region code (such as europe-west). If you use a unique URL identifier for the name parameter, you can omit the location parameter.

Organization-scoped address groups

This section provides detailed information about how to manage organization-scoped address groups.

Describe an address group

You can view the details of a specific address group.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

networksecurity.addressGroups.get

Roles

compute.securityAdmin
compute.networkAdmin
compute.networkUser

Console

In the Cloud de Confiance console, go to the Address groups page.

Go to Address groups
In the project selector menu, select your organization.
The address groups are listed in the Address groups section.
To view the details, click the name of your address group.

gcloud

To describe an organization-scoped address group, use the gcloud network-security org-address-groups describe command:

gcloud network-security org-address-groups describe NAME \
    --organization ORGANIZATION \
    --location LOCATION

Update an address group

You cannot update the name, type, or capacity of the address group. You can only update the address group description and IP addresses.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

networksecurity.addressGroups.update
networksecurity.locations.list
networksecurity.operations.get

Roles

compute.securityAdmin
compute.networkAdmin

Console

In the Cloud de Confiance console, go to the Address groups page.

Go to Address groups
In the project selector menu, select your organization.
The address groups are listed in the Address groups section.
To edit an address group, click the name of your address group.
Click Edit.
Modify the required fields.
Click Save.

gcloud

To update an organization-scoped address group, use the gcloud network-security org-address-groups update command:

gcloud network-security org-address-groups update NAME \
    --organization ORGANIZATION \
    --description DESCRIPTION \
    --location LOCATION

List address groups

You can list all the address groups in a location.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

networksecurity.addressGroups.list

Roles

compute.securityAdmin
compute.networkAdmin
compute.networkUser

Console

In the Cloud de Confiance console, go to the Address groups page.

Go to Address groups
In the project selector menu, select your organization.
The address groups are listed in the Address groups section.

gcloud

To list the address groups in an organization, use the gcloud network-security org-address-groups list command:

gcloud network-security org-address-groups list \
    --organization ORGANIZATION \
    --location LOCATION

Delete an address group

You can delete an address group by specifying its name, organization, and location. If the address group is referenced by a firewall policy, that address group cannot be deleted.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

networksecurity.addressGroups.delete
networksecurity.operations.get

Roles

compute.securityAdmin
compute.networkAdmin

Console

In the Cloud de Confiance console, go to the Address groups page.

Go to Address groups
In the project selector menu, select your organization.
The address groups are listed in the Address groups section.
Select the checkbox next to the address group that you want to delete. Make sure that the selected address group is not referenced by any firewall policy.
Click Delete, and then click Delete again to confirm.

gcloud

To delete an organization-scoped address group, use the gcloud network-security org-address-groups delete command:

gcloud network-security org-address-groups delete NAME \
  --organization ORGANIZATION \
  --location LOCATION

Find address group references

An address group is used by the firewall policies. You can find the list of all the firewall policies that use a specific address group.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

networksecurity.addressGroups.get

Roles

compute.securityAdmin
compute.networkAdmin
compute.networkUser

Console

In the Cloud de Confiance console, go to the Address groups page.

Go to Address groups
In the project selector menu, select your organization.
The address groups are listed in the Address groups section.
Click the name of your address group.
In the In use by field, the firewall policies that use this address group are listed in the following format:

POLICY_NAME(rule priority:PRIORITY_NUMBER)

gcloud

To list all the resources that reference an organization-scoped address group, use the gcloud network-security org-address-groups list-references command:

gcloud network-security org-address-groups list-references NAME \
    --organization ORGANIZATION \
    --location LOCATION

Add items to an address group

You can add multiple items such as IP addresses or IP ranges to an address group. If the request contains items that are already part of the address group, such items are ignored. If the request contains invalid items, the entire request fails.

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

networksecurity.addressGroups.update
networksecurity.locations.list
networksecurity.operations.get

Roles

compute.securityAdmin
compute.networkAdmin

Console

To add an item to an organization-scoped address group by using Cloud de Confiance console, follow the procedure mentioned in Update an address group.

gcloud

To add items to an organization-scoped address group, use the gcloud network-security org-address-groups add-items command:

gcloud network-security org-address-groups add-items NAME \
    --organization ORGANIZATION \
    --items ITEMS \
    --location LOCATION

Replace the following:

NAME: the name of the address group; you can specify the name as a string or as a unique URL identifier
ORGANIZATION: the organization ID where the address group is created

If you use a unique URL identifier for the name parameter, you can omit the organization parameter.
ITEMS: a comma-separated list of IP addresses or IP ranges in CIDR format
LOCATION: the location of the address group

This can be set to global or a region code (such as europe-west). If you use a unique URL identifier for the name parameter, you can omit the location parameter.

Remove items from an address group

Permissions required for this task

To perform this task, you must have been granted the following permissions or one of the following IAM roles.

Permissions

networksecurity.addressGroups.update
networksecurity.locations.list
networksecurity.operations.get

Roles

compute.securityAdmin
compute.networkAdmin

Console

To remove an item from an organization-scoped address group by using Cloud de Confiance console, follow the procedure mentioned in Update an address group.

gcloud

To remove an item from an organization-scoped address group, use the gcloud network-security org-address-groups remove-items command:

gcloud network-security org-address-groups remove-items NAME \
    --organization ORGANIZATION \
    --items ITEMS \
    --location LOCATION

Replace the following:

NAME: the name of the address group; you can specify the name as a string or as a unique URL identifier
ORGANIZATION: the organization ID where the address group is created

If you use a unique URL identifier for the name parameter, you can omit the organization parameter.
ITEMS: a comma-separated list of IP addresses or IP ranges in CIDR format to be removed
LOCATION: the location of the address group

This can be set to global or a region code (such as europe-west). If you use a unique URL identifier for the name parameter, you can omit the location parameter.

Manage address groups for firewall policies

Project-scoped address groups

Describe an address group

Permissions required for this task

Console

gcloud

Update an address group

Permissions required for this task

Console

gcloud

List address groups

Permissions required for this task

Console

gcloud

Delete an address group

Permissions required for this task

Console

gcloud

Find address group references

Permissions required for this task

Console

gcloud

Add items to an address group

Permissions required for this task

Console

gcloud

Remove items from an address group

Permissions required for this task

Console

gcloud

Organization-scoped address groups

Describe an address group

Permissions required for this task

Console

gcloud

Update an address group

Permissions required for this task

Console

gcloud

List address groups

Permissions required for this task

Console

gcloud

Delete an address group

Permissions required for this task

Console

gcloud

Find address group references

Permissions required for this task

Console

gcloud

Add items to an address group

Permissions required for this task

Console

gcloud

Remove items from an address group

Permissions required for this task

Console

gcloud

What's next