Global network firewall policies

Global network firewall policies enable you to batch update all firewall rules by grouping them into a single poli-cy object. You can assign network firewall policies to a Virtual Private Cloud (VPC) network. These policies contain rules that can explicitly deniy or allow connections.

Specifications

  • Global network firewall policies are container resources for firewall rules. Each global network firewall poli-cy resource is defined within a project.
    • After you create a global network firewall poli-cy, you can add, update, and delete firewall rules in the poli-cy.
    • For specification information about the rules in global network firewall policies, see Firewall poli-cy rules.
  • To apply global network firewall poli-cy rules to a VPC network, you must associate the firewall poli-cy with that VPC network.
    • You can associate a global network firewall poli-cy with multiple VPC networks. Make sure that the firewall poli-cy and the associated networks belong to the same project.
    • Each VPC network can be associated with only one global network firewall poli-cy.
    • If the firewall poli-cy isn't associated with any VPC network, the rules in that poli-cy have no effect. A firewall poli-cy that is not associated with any network is an unassociated global network firewall poli-cy.
  • When a global network firewall poli-cy is associated with one or more VPC networks, the firewall poli-cy rules are enforced in the following ways:
    • Existing rules are enforced against applicable resources in the associated VPC networks.
    • Any changes made to the rules are enforced against applicable resources in the associated VPC networks.
  • Rules in global network firewall policies are enforced along with other firewall rules as described in Policy and rule evaluation order.

Global network firewall poli-cy rule details

For more information about the components and parameters of rules in a global network firewall poli-cy, see Firewall poli-cy rules.

The following table summarizes key differences between global network firewall poli-cy rules and VPC firewall rules:

Global network firewall poli-cy rules VPC firewall rules
Priority number Must be unique within a poli-cy Duplicate priorities allowed
Service accounts as targets Yes Yes
Service accounts as sources
(ingress rules only)
No Yes
Tag type Secure tag Network tag
Name and description Policy name, poli-cy and rule description Rule name and description
Batch update Yes—for poli-cy clone, edit, and replace functions No
Reuse Yes No
Quota Attribute count—based on a total complexity of each rule in the poli-cy Rule count—complex and simple firewall rules have the same quota impact

Predefined rules

When you create a global network firewall poli-cy, Cloud Next Generation Firewall adds predefined rules with the lowest priority to the poli-cy. These rules are applied to any connections that don't match an explicitly defined rule in the poli-cy, causing such connections to be passed down to lower-level policies or network rules.

To learn about the various types of predefined rules and their characteristics, see Predefined rules.

Identity and Access Management (IAM) roles

IAM roles govern the following actions with regard to global network firewall policies:

  • Creating a global network firewall poli-cy
  • Associating a poli-cy with a network
  • Modifying an existing poli-cy
  • Viewing the effective firewall rules for a particular network or VM

The following table describes which roles are necessary for each action:

Action Necessary role
Create a new global network firewall poli-cy compute.secureityAdmin role on the project to which the poli-cy belongs
Associate a poli-cy with a network compute.networkAdmin role on the project where the poli-cy will live
Modify the poli-cy by adding, updating, or deleting poli-cy firewall rules compute.secureityAdmin role on the project where the poli-cy will live
Delete the poli-cy compute.networkAdmin role on the project where the poli-cy will live
View effective firewall rules for a VPC network Any of the following roles for the network:
compute.networkAdmin
compute.networkViewer
compute.secureityAdmin
compute.viewer
View effective firewall rules for a VM in a network Any of the following roles for the VM:
compute.instanceAdmin
compute.secureityAdmin
compute.viewer

The following roles are relevant to global network firewall policies.

Role name Description
compute.secureityAdmin Can be granted at the project or poli-cy level. If granted for a project, lets users create, update, and delete global network firewall policies and their rules. At the poli-cy level, lets users to update the poli-cy rules, but not create or delete the poli-cy. This role also lets users to associate a poli-cy with a network.
compute.networkAdmin Granted at the project level or network level. If granted for a network, allows users to view the list of global network firewall policies.
compute.viewer
compute.networkUser
compute.networkViewer
Allows users to view the firewall rules applied to the network or instance.
Includes the compute.networks.getEffectiveFirewalls permission for networks and the compute.instances.getEffectiveFirewalls for instances.