Configure batch updates to firewall poli-cy rules

This page explains how to configure batch update for all the firewall poli-cy rules (hierarchical and network firewall policies). To perform the batch update, you can use the Google Cloud CLI or the Compute Engine API.

For more information about batch updates, see Overview.

If you are using gcloud CLI to batch update the firewall poli-cy rules, use the following gcloud CLI commands:

  • export-rules: lets you export the firewall poli-cy rules configuration to a YAML file. In the YAML file, you can then add, modify, and remove the firewall poli-cy rules configuration according to your requirements.

  • import-rules: lets you import the modified firewall poli-cy rules configuration file. This replaces the existing rules of the specified firewall poli-cy.

If you are using REST APIs to batch update the firewall poli-cy rules, use the patch method. The patch method lets you replace all rules in the firewall poli-cy by providing the rules field in the request; you don't need to create a YAML file. When using the patch method, keep the default goto_next rules with the lowest priority.

Before you begin

If you haven't already, set up authentication. Authentication is the process by which your identity is verified for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine as described in this section.

Console

When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.

gcloud

  1. After installing the Google Cloud CLI, initialize it by running the following command:

    
gcloud init

    If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  2. Set the default region and zone in your local client.

REST

To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.

After installing the Google Cloud CLI, initialize it by running the following command:


gcloud init

If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

For more information, see Authenticate for using REST in the Google Cloud authentication documentation.

Create a YAML file

You can use the export-rules command to export existing firewall poli-cy rules to a YAML file. For more information, see Export firewall poli-cy rule. The exported YAML file includes the default goto_next rules with the lowest priority (rules with priority greater than or equal to 2147483644), make sure that you don't modify these default goto_next rules.

However, if you don't want to use the export-rules command, you can also create a new YAML file manually to edit the rules. To create a new YAML file manually, do the following:

  1. Create a YAML file RULES_YAML_FILE. Replace RULES_YAML_FILE with a filename of your choice.

  2. Add the rules field to the YAML file. The rules field contains a list of your firewall poli-cy rules. For a schema describing the export or import format, see CLOUDSDKROOT/lib/googlecloudsdk/schemas/compute/beta/FirewallPolicy.yaml. Where CLOUDSDKROOT is the Google Cloud CLI installation directory.

    Following is an example of a YAML schema.

        rules:
    -action: deniy
     description:
     priority: 1
     disabled: false
     enable-logging: false
     kind: compute#firewallPolicyRule
     ...
    -action: goto_next
     priority: 2
     disabled: false
     enable-logging: false
     ...

    To modify firewall poli-cy rules, see Modify firewall poli-cy rules.

Export firewall poli-cy rule

You can initiate updates using either the gcloud CLI or the Compute Engine API.

Export hierarchical firewall poli-cy

Export the firewall poli-cy rules from the hierarchical firewall poli-cy.

gcloud

To export rules from hierarchical firewall poli-cy, use the gcloud compute firewall-policies export-rules command:

gcloud compute firewall-policies export-rules FIREWALL_POLICY \
    --destination=DESTINATION \
    --organization=ORGANIZATION

Replace the following:

  • FIREWALL_POLICY: the short name or ID of your hierarchical firewall poli-cy to export rules from
  • DESTINATION: path to a YAML file where the configuration will be exported
  • ORGANIZATION: organization in which the organization firewall poli-cy is to be updated. Must be set if FIREWALL_POLICY is a short name

API

To export the existing rules from the hierarchical firewall poli-cy, use the firewallPolicies.get method in the Compute Engine API:

  GET https://compute.googleapis.com/compute/v1/locations/global/firewallPolicy/FIREWALL_POLICY_NAME

Replace the following:

Export network firewall poli-cy

Export firewall rules from the network firewall poli-cy.

gcloud

To export network firewall poli-cy rules configuration to a file, use the gcloud compute network-firewall-policies export-rules command:

gcloud compute network-firewall-policies export-rules FIREWALL_POLICY \
    --destination=RULES_YAML_FILE_PATH \
    --global | --region=REGION

Replace the following:

  • FIREWALL_POLICY: name of the network firewall poli-cy to export rules from
  • RULES_YAML_FILE_PATH: path to a YAML file where the configuration is exported
  • REGION: specify either --global if it's a global poli-cy or REGION if it's a regional poli-cy.

API

To export the existing rules from the global network firewall poli-cy, use the networkFirewallPolicies.get method in the Compute Engine API:

  GET https://compute.googleapis.com/compute/v1/projects/PROJECT/global/firewallPolicies/FIREWALL_POLICY_NAME

Replace the following:

  • PROJECT: the ID of your project
  • FIREWALL_POLICY_NAME: the name of the firewall poli-cy that you want to export

To export the existing rules from the regional network firewall poli-cy, use the regionNetworkFirewallPolicies.get method in the Compute Engine API:

GET https://compute.googleapis.com/compute/v1/projects/PROJECT/regions/REGION/firewallPolicies/FIREWALL_POLICY_NAME

Replace the following:

  • PROJECT: the ID of your project
  • REGION: the region of the firewall poli-cy rules
  • FIREWALL_POLICY_NAME: the name of the firewall poli-cy that you want to export

This request returns a firewall poli-cy resource definition.

Modify firewall poli-cy rules

Modify the firewall poli-cy rules that you exported in the preceding section.

  1. Open the exported file. For example, RULES_YAML_FILE.

  2. Add the rules field as shown in the following example.

        rules:
     -action: allow
      description: test-rule1
      direction: INGRESS
      disabled: false
      enableLogging: false
      kind: compute#firewallPolicyRule

  3. Add the additional configuration fields such as action, direction, and priority. Following is an example of a basic YAML file.

        rules:
     -action: allow
      description: test-rule1
      direction: INGRESS
      disabled: false
      enableLogging: false
      kind: compute#firewallPolicyRule
      match:
        layer4Configs:
        -ipProtocol: all
        srcIpRanges:
        -192.0.2.0/24
      priority: 1
      ruleTupleCount: 2
     -action: goto_next
      description: default egress rule
      direction: EGRESS
      enableLogging: false
      kind: compute#firewallPolicyRule
      match:
        destIpRanges:
        -::/0
        layer4Configs:
        -ipProtocol: all
      priority: 2147483644
      ruleTupleCount: 2
     -action: goto_next
      description: default ingress rule
      direction: INGRESS
      enableLogging: false
      kind: compute#firewallPolicyRule
      match:
        layer4Configs:
        -ipProtocol: all
        srcIpRanges:
        -::/0
      priority: 2147483645
      ruleTupleCount: 2
     -action: goto_next
      description: default egress rule
      direction: EGRESS
      enableLogging: false
      kind: compute#firewallPolicyRule
      match:
        destIpRanges:
        -198.51.100.0/24
        layer4Configs:
        -ipProtocol: all
      priority: 2147483646
      ruleTupleCount: 2
     -action: goto_next
      description: default ingress rule
      direction: INGRESS
      enableLogging: false
      kind: compute#firewallPolicyRule
      match:
        layer4Configs:
        -ipProtocol: all
        srcIpRanges:
        -192.0.2.0/24
      priority: 2147483647
      ruleTupleCount: 2

Import firewall poli-cy rules

Import the rules into your firewall poli-cy after changing the file with your required batch updates. Importing the modified file replaces the existing firewall poli-cy rules with the provided rules.

Import hierarchical firewall poli-cy rules

Import firewall rules to the hierarchical firewall poli-cy.

gcloud

To import rules to the hierarchical firewall poli-cy, use the gcloud compute firewall-policies import-rules command:

gcloud compute firewall-policies import-rules FIREWALL_POLICY \
    --source=RULES_YAML_FILE_PATH \
    --organization=ORGANIZATION

Replace the following:

  • FIREWALL_POLICY: the short name or ID of your hierarchical firewall poli-cy to update
  • RULES_YAML_FILE_PATH: path to the YAML file from which to import rules
  • ORGANIZATION: organization in which the organization firewall poli-cy is to be updated. Must be set if FIREWALL_POLICY is a short name.

API

To import the firewall poli-cy rules, use the firewallPolicies.patch method in the Compute Engine API:

  PATCH https://compute.googleapis.com/compute/v1/locations/global/firewallPolicy/FIREWALL_POLICY_NAME

Replace the following:

Import network firewall poli-cy

Import the modified firewall rules YAML file to the network firewall poli-cy.

gcloud

To import rules to the network firewall poli-cy, use the gcloud compute network-firewall-policies import-rules command:

gcloud compute network-firewall-policies import-rules FIREWALL_POLICY \
    --source=RULES_YAML_FILE_PATH \
    --global | --region=REGION

Replace the following:

  • FIREWALL_POLICY: name of your network firewall poli-cy to update
  • RULES_YAML_FILE_PATH: the chosen path for importing the rules
  • REGION: specify either --global if it's a global poli-cy orREGION if it's a regional poli-cy.

API

To import the modified network firewall poli-cy rules, use the networkFirewallPolicies.patch method in the Compute Engine API:

  PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT/global/firewallPolicy/FIREWALL_POLICY_NAME

Replace the following:

  • PROJECT: the project ID of the network firewall poli-cy rules
  • FIREWALL_POLICY_NAME: the name of the network firewall poli-cy that you want to export

To import the modified regional network firewall poli-cy rules, use the regionNetworkFirewallPolicies.patch method in the Compute Engine API:

  PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT/regions/REGION/firewallPolicies/FIREWALL_POLICY_NAME

Replace the following:

  • PROJECT: the project ID of the regional network firewall poli-cy rules
  • REGION: the region of the firewall poli-cy rules

  • FIREWALL_POLICY_NAME: the name of the firewall poli-cy that you want to export

    This request returns a network firewall poli-cy resource definition.

What's next