This page explains how to create and manage firewall endpoint associations by using the Google Cloud console and Google Cloud CLI.
When you associate a firewall endpoint with one or more Virtual Private Cloud (VPC) networks, you create the association in the same zone of the firewall endpoint. You can associate a VPC network in a zone with a project-level or an organization-level firewall endpoint.
When you configure endpoint associations, follow these requirements:
In a single zone, you can associate a VPC network with only one firewall endpoint (either project-level (Preview) or organization-level). However, you can associate one VPC network with different firewall endpoints across multiple zones.
You can associate a VPC network with a firewall endpoint in a separate project. This applies to both project-level (Preview) and organization-level endpoints. If the project-level endpoint is in a separate project, that project must reside in the same organization as your VPC network.
A firewall endpoint with jumbo frame support can accept packets only up to 8,500 bytes. Alternatively, a firewall endpoint without jumbo frame support can accept packets only up to 1,460 bytes. If you need URL filtering service or intrusion detection and prevention service, we recommend that you configure the associated VPC networks to use the maximum transmission unit (MTU) limits of 8,500 bytes and 1,460 bytes. For more information, see Supported packet size.
Before you begin
You need a VPC network and a subnet.
You must enable the Compute Engine API in your Google Cloud project.
You must enable the Network Security API in your Google Cloud project.
You must enable the Certificate Authority Service API in your Google Cloud project.
Install the gcloud CLI if you want to run the
gcloudcommand-line examples in this guide.You need a firewall endpoint.
Roles
To get the permissions that you need to create, view, update, or delete firewall endpoint associations, ask your administrator to grant you the necessary IAM roles on your organization and project. For more information about granting roles, see Manage access.
Quotas
To view quotas for firewall endpoint associations, see Quotas and limits.
Create a firewall endpoint association
A firewall endpoint association connects a firewall endpoint to a VPC network in a specific zone. This association ensures that traffic that matches an interception rule for the associated VPC network in that zone is inspected by the firewall endpoint. For effective traffic inspection, create endpoint associations in zones where your compute instances are deployed.
For each combination of a VPC network and a zone, you can associate either an organization-level or a project-level firewall endpoint, but not both. You can create firewall endpoint associations by using the Google Cloud console or the gcloud CLI.
An association is a project-level resource. You create the association within a specific project, even when it points to an organization-level firewall endpoint. You should create the association in the project where your compute instances are deployed.
To create an organization-level firewall endpoint association, use Google Cloud console or the gcloud CLI. To create a project-level firewall endpoint association (Preview), use the gcloud CLI.
Console
In the Google Cloud console, go to the Firewall endpoints page.
In the project selector menu, select your Google Cloud project.
Click Create endpoint association.
In the Region list, select the region where you want to create the firewall endpoint association.
In the Zone list, select the zone where you want to create the firewall endpoint association.
In the Firewall endpoint list, select the firewall endpoint that you want to add to the association.
In the Network list, select the network that you want to add to the association.
In the TLS inspection policy list, select the TLS inspection policy that you want to add to this association.
Click Create.
gcloud
To create a firewall endpoint association, use the gcloud network-security
firewall-endpoint-associations create
command.
Organization-level firewall endpoint
gcloud network-security firewall-endpoint-associations \
create NAME \
--endpoint organizations/ORGANIZATION_ID/locations/ZONE/firewallEndpoints/FIREWALL_ENDPOINT_NAME \
--network projects/PROJECT_NAME/global/networks/NETWORK_NAME \
--zone ZONE \
--project PROJECT_ID \
[ --tls-inspection-policy projects/TLS_PROJECT_NAME/locations/REGION_NAME/tlsInspectionPolicies/TLS_POLICY_NAME ]
Project-level firewall endpoint
gcloud beta network-security firewall-endpoint-associations \
create NAME \
--endpoint projects/ENDPOINT_PROJECT_ID/locations/ZONE/firewallEndpoints/FIREWALL_ENDPOINT_NAME \
--network projects/PROJECT_NAME/global/networks/NETWORK_NAME \
--zone ZONE \
--project PROJECT_ID \
[ --tls-inspection-policy projects/TLS_PROJECT_NAME/locations/REGION_NAME/tlsInspectionPolicies/TLS_POLICY_NAME ]
Replace the following:
NAME: the name of the firewall endpoint association.ORGANIZATION_ID: the organization identifier where the organization-level firewall endpoint is created.ENDPOINT_PROJECT_ID: the Google Cloud project ID where the project-level firewall endpoint is created.ZONE: the zone of the firewall endpoint.FIREWALL_ENDPOINT_NAME: the name of the firewall endpoint.PROJECT_NAME: the Google Cloud project name of the network.NETWORK_NAME: the name of the network.PROJECT_ID: the Google Cloud project ID where the association is created. This should be the project where you want to intercept traffic.TLS_PROJECT_NAME: the Google Cloud project name of the TLS inspection policy.REGION_NAME: the region name of the TLS inspection policy.TLS_POLICY_NAME: the name of the TLS inspection policy.This policy is used for the TLS inspection of the encrypted traffic on the specified network. This is an optional argument.
View a firewall endpoint association
To view details of an organization-level firewall endpoint association or a project-level firewall endpoint association, use the gcloud CLI.
gcloud
To view a firewall endpoint association, use the gcloud network-security
firewall-endpoint-associations describe
command.
Organization-level firewall endpoint
gcloud network-security firewall-endpoint-associations \
describe NAME \
--zone ZONE \
[ --project PROJECT_ID ]
Project-level firewall endpoint
gcloud beta network-security firewall-endpoint-associations \
describe NAME \
--zone ZONE \
[ --project PROJECT_ID ]
Replace the following:
NAME: the name of the firewall endpoint association.ZONE: the zone of the firewall endpoint association.PROJECT_ID: the Google Cloud project ID where the association is created.
List all firewall endpoint associations
To list all organization-level firewall endpoint associations, use Google Cloud console or the gcloud CLI. To list all project-level firewall endpoint association, use the gcloud CLI.
Console
In the Google Cloud console, go to the Firewall endpoints page.
In the project selector menu, select your Google Cloud project.
In the Firewall endpoint associations section, the table lists all the configured firewall endpoint associations for this project.
gcloud
To list firewall endpoint associations for a specific network, use the
gcloud network-security firewall-endpoint-associations list command
with the --filter flag.
Organization-level firewall endpoint
gcloud network-security firewall-endpoint-associations list \
--filter network:NETWORK_NAME \
[ --project PROJECT_ID ]
Project-level firewall endpoint
gcloud beta network-security firewall-endpoint-associations list \
--filter network:NETWORK_NAME \
[ --project PROJECT_ID ]
Replace the following:
NETWORK_NAME: the name of the VPC network.PROJECT_ID: the Google Cloud project ID where the firewall endpoint association is created.
Edit a firewall endpoint association
To edit an organization-level firewall endpoint association, use Google Cloud console or the gcloud CLI. To edit a project-level firewall endpoint association, use the gcloud CLI.
Console
In the Google Cloud console, go to the Firewall endpoints page.
In the project selector menu, select your Google Cloud project.
In the Firewall endpoint associations section, the table lists all the configured firewall endpoint associations for this project.
Next to the firewall endpoint association that you want to update, click Edit.
To disable the firewall endpoint association, clear the Enable association checkbox.
To update the TLS inspection policy, select a new policy from the TLS inspection policy list.
Click Save.
gcloud
To update a firewall endpoint association, use the
gcloud network-security firewall-endpoint-associations update command.
Organization-level firewall endpoint
gcloud network-security firewall-endpoint-associations
update NAME \
--zone ZONE \
--project PROJECT_ID \
[ --disabled ] \
[ --tls-inspection-policy projects/TLS_PROJECT_NAME/locations/REGION_NAME/tlsInspectionPolicies/TLS_POLICY_NAME ]
Project-level firewall endpoint
gcloud beta network-security firewall-endpoint-associations
update NAME \
--zone ZONE \
--project PROJECT_ID \
[ --disabled ] \
[ --tls-inspection-policy projects/TLS_PROJECT_NAME/locations/REGION_NAME/tlsInspectionPolicies/TLS_POLICY_NAME ]
Replace the following:
NAME: the name of the firewall endpoint association.ZONE: the zone of the firewall endpoint association.PROJECT_ID: the Google Cloud project ID where the association is created.TLS_PROJECT_NAME: the Google Cloud project name of the TLS inspection policy.REGION_NAME: the region name of the TLS inspection policy.TLS_POLICY_NAME: the name of the TLS inspection policy.
Delete a firewall endpoint association
To delete an organization-level firewall endpoint association, use Google Cloud console or the gcloud CLI. To delete a project-level firewall endpoint association, use the gcloud CLI.
When a Google Cloud project is deleted, its associated firewall endpoint associations are automatically removed. This deletion is irreversible, even if the project is later restored.
However, the deletion process for these associations might sometimes fail.
If this happens and the project is restored, the associated firewall
endpoints appear in ORPHAN state within the restored project. This
indicates the broken link between the project and its resources due to
the unsuccessful deletion.
You can view these orphaned associations on the Google Cloud console, however, you can't edit these associations. Cloud Next Generation Firewall periodically runs a background process that deletes these orphaned resources.
Console
In the Google Cloud console, go to the Firewall endpoints page.
In the project selector menu, select your Google Cloud project.
In the Firewall endpoint associations section, the table lists all the configured firewall endpoint associations for this project.
Select the firewall endpoint association, and then click Delete.
Click Delete again to confirm.
gcloud
To delete a firewall endpoint association, use the gcloud network-security
firewall-endpoint-associations delete
command.
Organization-level firewall endpoint
gcloud network-security firewall-endpoint-associations \
delete NAME \
--zone ZONE \
--project PROJECT_ID
Project-level firewall endpoint
gcloud beta network-security firewall-endpoint-associations \
delete NAME \
--zone ZONE \
--project PROJECT_ID
Replace the following:
NAME: the name of the firewall endpoint association.ZONE: the zone of the firewall endpoint association.PROJECT_ID: the Google Cloud project ID where the association is created.