This document explains how to create and manage secure tags for firewall policies. Before using secure tags in firewall policies or binding them to resources, you must create them.
This document covers the following topics:
- Granting appropriate permissions to manage and use tags
- Creating tag keys and values
- Creating firewall policies and rules that use secure tags
- Binding secure tags to virtual machine (VM) instances
- Using secure tags across peered networks
For more information about secure tags and how they work, see Secure tags for firewalls.
Grant permissions to secure tags
An organization administrator can grant roles at the organization level, and a project owner can grant roles at the project level.
Grant Tag Administrator role
The Tag Administrator role (roles/resourcemanager.tagAdmin) lets you create,
update, and delete secure tags.
Console
To grant the Tag Administrator role (roles/resourcemanager.tagAdmin)
to the user, do the following:
In the Cloud de Confiance console, go to the IAM page.
In the project selector list, select the organization or project that you want to grant the role to.
Click Grant access.
In the New principals field, enter the email address of the user. For example,
//iam.googleapis.com/locations/global/workforcePools/my-pool/subject/my-user@example.com.In the Select a role list, enter Tag in the Filter field and then select Tag administrator.
Click Save.
gcloud
To grant the Tag Administrator role (roles/resourcemanager.tagAdmin)
to an IAM principal in an organization's IAM
policy, use the
gcloud organizations add-iam-policy-binding command:
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
--member=user:EMAIL_ADDRESS \
--role=roles/resourcemanager.tagAdmin
Replace the following:
ORGANIZATION_ID: your organization's IDEMAIL_ADDRESS: the email address of the user
Grant Tag User role
The Tag User role (roles/resourcemanager.tagUser) lets you access the
list of secure tags and manage their associations with the resources.
Console
To grant the Tag User role (roles/resourcemanager.tagUser) to the user,
do the following:
In the Cloud de Confiance console, go to the IAM page.
In the project selector list, select the organization or project that you want to grant the role to.
Click Grant access.
In the New principals field, enter the email address of the user. For example,
//iam.googleapis.com/locations/global/workforcePools/my-pool/subject/my-user@example.com.In the Select a role list, enter Tag in the Filter field and then select Tag user.
Optional: Add a condition to the role.
Click Save.
gcloud
To grant the Tag User role (
roles/resourcemanager.tagUser) to the user for a specific tag, use thegcloud resource-manager tags keys add-iam-policy-bindingcommand:gcloud resource-manager tags keys add-iam-policy-binding ORGANIZATION_ID/TAG_KEY \ --member=user:EMAIL_ADDRESS \ --role=roles/resourcemanager.tagUserReplace the following:
ORGANIZATION_ID: your organization's IDTAG_KEY: the secure tag keyEMAIL_ADDRESS: the email address of the user
To grant the Tag User role (
roles/resourcemanager.tagUser) to an IAM principal so that they can use all tag values of every tag key in the organization, use thegcloud organizations add-iam-policy-bindingcommand:gcloud organizations add-iam-policy-binding ORGANIZATION_ID \ --member=user:EMAIL_ADDRESS \ --role=roles/resourcemanager.tagUserReplace the following:
ORGANIZATION_ID: your organization's IDEMAIL_ADDRESS: the email address of the user
To grant the Tag User role (
roles/resourcemanager.tagUser) to an IAM principal so that they can use a specific tag value of a tag key whose parent is the organization, use thegcloud resource-manager tags values add-iam-policy-bindingcommand:gcloud resource-manager tags values add-iam-policy-binding ORGANIZATION_ID/TAG_KEY/TAG_VALUE \ --member=user:EMAIL_ADDRESS \ --role=roles/resourcemanager.tagUserReplace the following:
ORGANIZATION_ID: your organization's IDTAG_KEY: the secure tag keyTAG_VALUE: the secure tag valueEMAIL_ADDRESS: the email address of the user
To grant the Tag User role (
roles/resourcemanager.tagUser) to an IAM principal so that they can use all tag values of every tag key in a project, use thegcloud projects add-iam-policy-bindingcommand:gcloud projects add-iam-policy-binding PROJECT_NAME \ --member=user:EMAIL_ADDRESS \ --role=roles/resourcemanager.tagUserReplace the following:
PROJECT_NAME: name of your projectEMAIL_ADDRESS: the email address of the user
Custom roles to manage secure tags
The Tag Administrator role (roles/resourcemanager.tagAdmin) lets you create,
update, and delete secure tags.
If you need a few of these capabilities, you can create a custom
Identity and Access Management (IAM) role with the relevant permissions and then grant
the new role to the target user. For the list of relevant permissions,
see IAM roles.
Secure tags used in firewall policies must be designated with a GCE_FIREWALL
purpose. While the GCE_FIREWALL purpose is required for the secure tag to be
used in networking features, you can use the secure tag for other actions.
Create the secure tag keys and values
Before associating secure tags to firewall policies, you must create the secure tag keys and values.
After the tag key is created, it cannot be changed, and it must be unique within the same namespace.
Console
To create a secure tag key and values, do the following:
In the Cloud de Confiance console, go to the Tags page.
In the project selector list, select the organization or project under which you want to create a tag key.
Click Create.
In the Tag key field, enter the display name of your tag key. This becomes part of the namespace name of your tag.
Optional: In the Tag key description field, enter a description of your tag key.
For Tag purpose select For use with Cloud NGFW.
To create a secure tag, do one of the following:
If purpose data specifies a network, select Restrict scope to a single network.
If purpose data specifies an organization, clear Restrict scope to a single network.
In the Network selection tab, select the organization or project under which you want to create a secure tag key.
In the Network list, select the network.
If you want to add tag values to this key, click Add value for each tag value you want to create.
In the Tag value field, enter the display name of your tag value. This becomes part of the namespace name of your tag.
Optional: In the Tag value description field, enter a description of your tag value.
When you have finished adding tag values, click Create tag key.
gcloud
After getting the required permissions, create the secure tag key at the organization or project level.
To create secure tag key for an organization, use the
gcloud resource-manager tags keys createcommand:gcloud resource-manager tags keys create TAG_KEY \ --parent organizations/ORGANIZATION_ID \ --purpose GCE_FIREWALL \ --purpose-data organization=autoReplace the following:
TAG_KEY: the secure tag keyORGANIZATION_ID: your organization's ID
To create a secure tag key for a parent project or an organization whose purpose data identifies a single VPC network, use the
gcloud resource-manager tags keys createcommand:gcloud resource-manager tags keys create TAG_KEY \ --parent organizations/ORGANIZATION_ID \ --purpose GCE_FIREWALL \ --purpose-data network=PROJECT_ID/NETWORKReplace the following:
TAG_KEY: the secure tag keyORGANIZATION_ID: your organization's IDPROJECT_ID: your project's IDNETWORK: the name of your network
To add the relevant secure tag values to the secure tag keys, use the
gcloud resource-manager tags values createcommand:gcloud resource-manager tags values create TAG_VALUE \ --parent ORGANIZATION_ID/TAG_KEYReplace the following:
TAG_VALUE: the value to assign to the secure tag keyORGANIZATION_ID: your organization's IDTAG_KEY: the secure tag key
Run the command multiple times to add multiple values. Make sure that each secure tag value added to the secure tag key is unique.
Create a firewall policy
You can use secure tag keys in firewall policies after you create them. You can use secure tag keys defined at the organization level in hierarchical firewall policies or network firewall policies. You can only use secure tags defined at the network level in network firewall policies.
Create a hierarchical firewall policy
You can create a policy under any resource (organization or folder) of your organization hierarchy.
Console
In the Cloud de Confiance console, go to the Firewall policies page.
In the project selector list, select your organization ID or a folder within your organization.
Click Create firewall policy.
In the Policy name field, enter the name.
If you want to create rules for your policy, click Continue > Create firewall rule.
For details, see Create a hierarchical firewall policy rule with secure tags.
If you want to associate the policy with a resource, click Continue > Add.
For details, see Associate a policy with the organization or folder.
Click Continue > Create.
gcloud
To create a hierarchical firewall policy, use the
gcloud compute firewall-policies create command:
gcloud compute firewall-policies create \
[--organization ORGANIZATION_ID] | [--folder FOLDER_ID] \
--short-name SHORT_NAME
Replace the following:
ORGANIZATION_ID: your organization's IDSpecify this ID if you are creating the policy at the organization level. This ID only indicates where the policy lives; it doesn't automatically associate the policy with the organization resource.
FOLDER_ID: the ID of a folderSpecify this ID if you are creating the policy in a given folder. This ID only indicates where the policy lives; it doesn't automatically associate the policy with that folder.
SHORT_NAME: a name for the policyA policy created by using the Google Cloud CLI has two names: a system-generated name and a short name provided by you. When using the Google Cloud CLI to update an existing policy, you can provide either the system-generated name or the short name and the organization ID. When using the API to update the policy, you must provide the system-generated name.
Create a global network firewall policy
After creating a secure tag, you can use it in rules of a global network firewall policy.
Console
In the Cloud de Confiance console, go to the Firewall policies page.
In the project selector list, select your project within your organization.
Click Create firewall policy.
In the Policy name field, enter the name.
For Deployment scope, select Global.
If you want to create rules for your policy, click Continue > Create firewall rule.
For details, see Create a network firewall policy rule with secure tags.
If you want to associate the policy with a network, click Continue > Associate.
For details, see Associate a policy with the network.
Click Continue > Create.
gcloud
To create a network firewall policy, use the
gcloud compute network-firewall-policies create command:
gcloud compute network-firewall-policies create \
NETWORK_FIREWALL_POLICY_NAME \
--description DESCRIPTION \
--global
Replace the following:
NETWORK_FIREWALL_POLICY_NAME: a name for the policyDESCRIPTION: a description for the policy
Create a firewall policy rule with secure tags
After creating a secure tag and a firewall policy, you can create a firewall policy rule with the specific source tag values and target tag values to allow the chosen traffic between the VMs with the source tags and destination tags.
Create a hierarchical firewall policy rule with secure tags
You can create a hierarchical firewall policy rule with the specific source and target keys and values only if you have created a hierarchical firewall policy. For more information, see Create a hierarchical firewall policy.
Console
In the Cloud de Confiance console, go to the Firewall policies page.
In the project selector list, select your organization ID or the folder that contains your policy.
Click the name of your policy and then click Create firewall rule.
Enter the priority of the rule.
Specify the direction of traffic.
For Action on match, choose a setting.
For Logs, choose On or Off.
For Target, select Secure tags, and then click Select scope for tags.
On the Select a resource page, select the organization or project in which you want to create secure tags.
Enter the key-value pairs to which the rule is to apply.
To add more key-value pairs, click Add tag.
In the Source section, for Tags, click Select scope for tags.
On the Select a resource page, select the organization or folder that contains the secure tag keys.
Click Create.
gcloud
To create a hierarchical firewall policy rule, use the
gcloud compute firewall-policies rules create command:
gcloud compute firewall-policies rules create \
--firewall-policy FIREWALL_POLICY_NAME \
--src-secure-tags ORGANIZATION_ID/TAG_KEY/TAG_VALUE \
--target-secure-tags ORGANIZATION_ID/TAG_KEY/TAG_VALUE \
--direction DIRECTION \
--action ACTION \
--layer4-configs tcp:PORT
Replace the following:
FIREWALL_POLICY_NAME: the name of the hierarchical firewall policyORGANIZATION_ID: your organization's IDTAG_KEY: the secure tag keyTAG_VALUE: the value to assign to the secure tag keyDIRECTION: indicates whether the rule is aningressoregressruleACTION: one of the following actions:allow: allows connections that match the ruledeny: denies connections that match the rulegoto_next: passes connection evaluation to the next level in the hierarchy, either a folder or the network
PORT: the port number to access the resource
Create a network firewall policy rule with secure tags
You can create a network firewall policy rule with the specific source tag values and target tag values that allow the chosen traffic between the VMs with the source tags and destination tags. For more information, see Create a global network firewall policy.
Console
In the Cloud de Confiance console, go to the Firewall policies page.
In the project selector list, select your project or the folder that contains your policy.
Click the name of your policy and then click Create firewall rule.
Enter the priority of the rule.
Specify the direction of traffic.
For Action on match, choose a setting.
For Logs, choose On or Off.
For Target, select Secure tags, and then click Select scope for tags.
On the Select a resource page, select the organization or project in which you want to create secure tags.
Enter the key-value pairs to which the rule is to apply.
To add more key-value pairs, click Add tag.
In the Source section, for Tags, click Select scope for tags.
On the Select a resource page, select the organization or folder that contains the secure tag keys.
Click Create.
gcloud
To create a network firewall policy rule, use the
gcloud compute network-firewall-policies rules create command:
gcloud compute network-firewall-policies rules create \
--firewall-policy FIREWALL_POLICY_NAME \
--src-secure-tags ORGANIZATION_ID/TAG_KEY/TAG_VALUE \
--target-secure-tags ORGANIZATION_ID/TAG_KEY/TAG_VALUE \
--direction DIRECTION \
--action ACTION \
--layer4-configs tcp:PORT \
--global-firewall-policy
Replace the following:
FIREWALL_POLICY_NAME: the name of the new network global network firewall policyORGANIZATION_ID: your organization's IDTAG_KEY: the Tag keyTAG_VALUE: the value to assign to the Tag keyDIRECTION: indicates whether the rule is aningressoregressruleACTION: one of the following actions:allow: allows connections that match the ruledeny: denies connections that match the rulegoto_next: passes connection evaluation to the next level in the hierarchy, either a folder or the network
PORT: the port number to access the resource
Bind secure tags
To understand how secure tag binding works for both network firewall policies and hierarchical firewall policies, see Bind secure tags.
Before you begin
Make sure that you have the Tag Administrator role (
roles/resourcemanager.tagAdmin). As a tag administrator you can bind the secure tags to individual VM instances.If you don't have the Tag Administrator role (
roles/resourcemanager.tagAdmin), you can ask the organization administrator to grant you the Tag User role (roles/resourcemanager.tagUser). For more information, see Grant permissions to secure tags.Make sure that you have the Tag User role (
roles/resourcemanager.tagUser) on the resources to which the tags are bound. For more information about how to grant the Tag User role (roles/resourcemanager.tagUser) on the resources to which the tags are to be bound, see Grant permissions to secure tags.Make sure that you have created the secure tag keys and values and firewall policy rule with secure tags.
Make sure that you have created a VM instance. For more information, see Create and start a Compute Engine instance.
Bind secure tags to VM instances
You can attach existing tags to certain resources. After the resource is created, attach tags to that resource by using the following instructions.
Console
To bind the secure tags to VM instances, do the following:
In the Cloud de Confiance console, go to the VM instances page.
Select your project and click Continue.
In the Name column, click the name of the VM for which you want to add tags.
From the VM instance details page, complete the following steps:
- Click Edit.
- In the Basic information section, click Manage tags and add the tags that you want for the instance.
- Click Save.
gcloud
For information about how to use these flags, read Attaching tags to resources in the Resource Manager documentation.
For example, the following command attaches a tag to a VM:
gcloud resource-manager tags bindings create \
--location LOCATION_NAME \
--tag-value=tagValues/TAGVALUE_ID \
--parent=//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE/instances/VM_ID
Replace the following:
LOCATION_NAME: the region that contains the target resource; in this example, the region of the VM instanceTAGVALUE_ID: the numeric ID of the tag valuePROJECT_NUMBER: the numeric ID of your project that contains the target resourceZONE: the zone that contains the target resource; in this example, the zone of the VM instanceVM_ID: the VM instance ID
REST
To attach a tag to a resource, you must first create a JSON representation of a tag binding that includes the permanent ID or namespace name of the tag value and the permanent ID of the resource. For more information about the format of a tag binding, see the tagBindings reference.
To attach the tag to a zonal resource, such as a VM instance, use
the tagBindings.create method with the regional endpoint where your resource
is located. For example:
POST https://LOCATION_NAME-cloudresourcemanager.googleapis.com/v3/tagBindings
The request body can be one of the following two options:
{
"parent": "//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE/instances/VM_ID",
"tagValue": "tagValue/TAGVALUE_ID"
}
{
"parent": "//compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE/instances/VM_ID",
"tagValueNamespacedName": TAGVALUE_NAMESPACED_NAME
}Replace the following:
LOCATION_NAME: the region that contains the target resource; in this example, the region of the VM instancePROJECT_NUMBER: the numeric ID of your project that contains the target resourceZONE: the zone that contains the target resource; in this example, the zone of the VM instanceVM_ID: the VM instance IDTAGVALUE_ID: the permanent ID of the tag value that is attached—for example:4567890123TAGVALUE_NAMESPACED_NAME: the namespace name of the tag value that is attached and is of the format:parentNamespace/tagKeyShortName/tagValueShortName
Add secure tags to a VM instance during VM creation
In certain scenarios, you might want to tag resources during resource creation, rather than after the resource is created.
Console
Depending on the resource type, the exact steps might vary. The following steps are for a VM:
In the Cloud de Confiance console, go to the VM instances page.
Select your project and click Continue.
Click Create instance. The Create an instance page appears and displays the Machine configuration pane.
In the navigation menu, click Advanced. In the Advanced pane that appears, do the following:
- Expand the Manage tags and labels section.
- Click Add tags.
- In the Tags pane that opens, follow the instructions to add a tag to the instance.
- Click Save.
Specify other configuration options for your instance. For more information, see Configuration options during instance creation.
To create and start the VM, click Create.
gcloud
To attach a tag to a resource during resource creation, add the
--resource-manager-tags flag with the respective create command. For
example, to attach a tag to a VM, use the following command:
gcloud compute instances create INSTANCE_NAME \
--zone=ZONE \
--resource-manager-tags=tagKeys/TAGKEY_ID=tagValues/TAGVALUE_IDReplace the following:
INSTANCE_NAME: the name of your VM instanceZONE: the zone that contains the VM instanceTAGKEY_ID: the tag key number numeric IDTAGVALUE_ID: the permanent numeric ID of the tag value that is attached—for example:4567890123
Specify multiple tags by separating the tags with a comma, for example,
TAGKEY1=TAGVALUE1,TAGKEY2=TAGVALUE2.
REST
Make a POST request to the following URL:
POST https://compute.googleapis.com/compute/v1/projects/PROJECT/zones/ZONE/instances
Include the following request JSON body:
{
"name": INSTANCE_NAME,
"params": {
"resourceManagerTags": {
"tagKeys/TAGKEY_ID": "tagValues/TAGVALUE_ID",
},
}
// other fields omitted
}Replace the following:
INSTANCE_NAME: the name of your VM instanceTAGKEY_ID: the tag key number numeric IDTAGVALUE_ID: the permanent numeric ID of the tag value that is attached—for example:4567890123
Use secure tags across peered networks
You can use secure tags in VPC Network Peering. Assume that the connected
networks are server and client. To use secure tags across two connected
Cloud de Confiance networks, complete the following tasks in the specified
order.
Assign the Tag Administrator role (
roles/resourcemanager.tagAdmin) to the user. An organization administrator grants the Tag Administrator role (roles/resourcemanager.tagAdmin) to users at the organization level, and a project owner can grant the Tag Administrator role (roles/resourcemanager.tagAdmin) at the project level. For more information, see Grant permissions to secure tags.Create a secure tag key and value in the
servernetwork. For information about how to create secure tag keys and values, see Create secure tag keys and values.Create a firewall policy rule in the
servernetwork to allow ingress traffic from the secure tag created in the preceding step. For more information, see Create a firewall policy rule with secure tags.Grant the required permissions to the
clientuser to secure tags in both VPC networks. For more information, see Grant permissions to secure tags.In the
clientnetwork, bind the secure tags to a VM instance. For more information, see Bind secure tags. Now theclientVM opens connections to theserverVM.The server's firewall policy rule allows the traffic because the traffic comes from the secure tags that they are bound to. The rule also allows the response packet because egress traffic is allowed by default.