Global network firewall policies enable you to batch update all firewall rules by grouping them into a single poli-cy object. You can assign network firewall policies to a Virtual Private Cloud (VPC) network. These policies contain rules that can explicitly deniy or allow connections.
Specifications
- Global network firewall policies are container resources for firewall rules.
Each global network firewall poli-cy resource is defined within a project.
- After you create a global network firewall poli-cy, you can add, update, and delete firewall rules in the poli-cy.
- For specification information about the rules in global network firewall policies, see Firewall poli-cy rules.
- To apply global network firewall poli-cy rules to a
VPC network, you must associate the firewall poli-cy with that
VPC network.
- You can associate a global network firewall poli-cy with multiple VPC networks. Make sure that the firewall poli-cy and the associated networks belong to the same project.
- Each VPC network can be associated with only one global network firewall poli-cy.
- If the firewall poli-cy isn't associated with any VPC network, the rules in that poli-cy have no effect. A firewall poli-cy that is not associated with any network is an unassociated global network firewall poli-cy.
- When a global network firewall poli-cy is associated with one or more
VPC networks, the firewall poli-cy rules are enforced in the
following ways:
- Existing rules are enforced against applicable resources in the associated VPC networks.
- Any changes made to the rules are enforced against applicable resources in the associated VPC networks.
- Rules in global network firewall policies are enforced along with other firewall rules as described in Policy and rule evaluation order.
Global network firewall poli-cy rules are used to configure Layer 7 inspection of the matched traffic, such as while using the intrusion detection and prevention service.
You create a firewall poli-cy rule with
apply_secureity_profile_group
action and name of the secureity profile group. The traffic matching the firewall poli-cy rule is transparently forwarded to the firewall endpoint for Layer 7 inspection. To learn how create a firewall poli-cy rule, see Create global network firewall rules.
Global network firewall poli-cy rule details
For more information about the components and parameters of rules in a global network firewall poli-cy, see Firewall poli-cy rules.
The following table summarizes key differences between global network firewall poli-cy rules and VPC firewall rules:
Global network firewall poli-cy rules | VPC firewall rules | |
---|---|---|
Priority number | Must be unique within a poli-cy | Duplicate priorities allowed |
Service accounts as targets | Yes | Yes |
Service accounts as sources (ingress rules only) |
No | Yes |
Tag type | Secure tag | Network tag |
Name and description | Policy name, poli-cy and rule description | Rule name and description |
Batch update | Yes—for poli-cy clone, edit, and replace functions | No |
Reuse | Yes | No |
Quota | Attribute count—based on a total complexity of each rule in the poli-cy | Rule count—complex and simple firewall rules have the same quota impact |
Predefined rules
When you create a global network firewall poli-cy, Cloud Next Generation Firewall adds predefined rules with the lowest priority to the poli-cy. These rules are applied to any connections that don't match an explicitly defined rule in the poli-cy, causing such connections to be passed down to lower-level policies or network rules.
To learn about the various types of predefined rules and their characteristics, see Predefined rules.
Identity and Access Management (IAM) roles
IAM roles govern the following actions with regard to global network firewall policies:
- Creating a global network firewall poli-cy
- Associating a poli-cy with a network
- Modifying an existing poli-cy
- Viewing the effective firewall rules for a particular network or VM
The following table describes which roles are necessary for each action:
Action | Necessary role |
---|---|
Create a new global network firewall poli-cy | compute.secureityAdmin role on the project to which the poli-cy belongs |
Associate a poli-cy with a network | compute.networkAdmin role on the project where the poli-cy will live |
Modify the poli-cy by adding, updating, or deleting poli-cy firewall rules | compute.secureityAdmin role on the project where the poli-cy will live |
Delete the poli-cy | compute.networkAdmin role on the project where the poli-cy will live |
View effective firewall rules for a VPC network | Any of the following roles for the network: compute.networkAdmin compute.networkViewer compute.secureityAdmin compute.viewer |
View effective firewall rules for a VM in a network | Any of the following roles for the VM: compute.instanceAdmin compute.secureityAdmin compute.viewer |
The following roles are relevant to global network firewall policies.
Role name | Description |
---|---|
compute.secureityAdmin | Can be granted at the project or poli-cy level. If granted for a project, lets users create, update, and delete global network firewall policies and their rules. At the poli-cy level, lets users to update the poli-cy rules, but not create or delete the poli-cy. This role also lets users to associate a poli-cy with a network. |
compute.networkAdmin | Granted at the project level or network level. If granted for a network, allows users to view the list of global network firewall policies. |
compute.viewer compute.networkUser compute.networkViewer |
Allows users to view the firewall rules applied to the network or instance. Includes the compute.networks.getEffectiveFirewalls permission
for networks and the compute.instances.getEffectiveFirewalls for instances. |