This page explains how to configure a firewall endpoint and associate it with a Virtual Private Cloud (VPC) network by using the Google Cloud console, Google Cloud CLI, or Terraform.
You create a firewall endpoint at a zonal level and then associate it with one or more VPC networks in the same zone. If Layer 7 inspection is enabled in the firewall policy associated with your VPC network, the matched traffic is transparently intercepted and forwarded to the firewall endpoint.
You can create a firewall endpoint with or without jumbo frame support. For information about the packet sizes supported by firewall endpoints, see Supported packet size.
Before you begin
Before you configure firewall endpoints and associations, complete the following:
- Ensure that you have a VPC network and a subnet.
- Enable the required APIs:
- Compute Engine API (Compute Engine API) in your Google Cloud project.
- Network Security API in the Google Cloud project that you want to use for billing.
- Certificate Authority Service API in your Google Cloud project.
- Install the gcloud CLI if you want to run
gcloudcommand-line examples.
Roles and permissions
To get the permissions that you need to create firewall endpoints, ask your administrator to grant you the necessary Identity and Access Management (IAM) roles on your organization or project. For more information, see Manage access.
To check the progress of the operations listed on this page, ensure that
your user account has the
Compute Network User
(roles/compute.networkUser) role, which includes the following permissions:
networksecurity.operations.getnetworksecurity.operations.list
Quotas
To view quotas for firewall endpoints and associations, see Quotas and limits.
Create a firewall endpoint
Create a firewall endpoint in a specific zone.
Organization-level endpoint
You can create a firewall endpoint at the organization level. These endpoints support only organization-level security profile groups.
Console
In the Google Cloud console, go to the Firewall endpoints page.
In the project selector menu, select your organization.
Click Create.
In the Region list, select the region where you want to create the firewall endpoint.
In the Zone list, select the zone where you want to create the firewall endpoint.
Enter a name in the Name field.
In the Billing project list, select the Google Cloud project that you want to use for billing the firewall endpoint.
Click Continue.
If you want the endpoint to support jumbo frames, select the Enable jumbo frames support checkbox; otherwise, clear this checkbox.
Click Continue.
If you want to add a firewall endpoint association, click Add endpoint association, else skip this step.
- In the Project list, select the Google Cloud project where you want to create the firewall endpoint association.
- If the Compute Engine API or Network Security API are not enabled for the Google Cloud project, click Enable.
- In the Network list, select the network that you want to associate to the firewall endpoint.
- In the TLS inspection policy list, select the TLS inspection policy that you want to add to this association.
- To add another association, click Add endpoint association.
Click Create.
gcloud
To create a firewall endpoint, use the gcloud network-security
firewall-endpoints create
command:
gcloud network-security firewall-endpoints create NAME \
--organization ORGANIZATION_ID \
--zone ZONE \
--enable-jumbo-frames \
--billing-project BILLING_PROJECT_ID
Replace the following:
NAME: the name of the firewall endpoint.ORGANIZATION_ID: the organization where the endpoint is activated.ZONE: the zone where the endpoint is activated.BILLING_PROJECT_ID: a Google Cloud project ID to be used for billing of the firewall endpoint.
To create a firewall endpoint that supports jumbo frames up to 8,500 bytes
in size, use the optional --enable-jumbo-frames flag. Skip this
flag to create an endpoint without jumbo frame support. For
information about the packet sizes supported by firewall endpoints, see
Supported packet size.
To associate the firewall endpoint to a VPC network, see Create firewall endpoint associations.
Terraform
Use the google_network_security_firewall_endpoint Terraform resource.
resource "google_network_security_firewall_endpoint" "default" {
name = "my-firewall-endpoint"
parent = "organizations/123456789"
location = "us-central1-a"
billing_project_id = "my-project-name"
enable_jumbo_frames = true
}
To create a firewall endpoint that supports jumbo frames up to 8,500 bytes in
size, set the field enable_jumbo_frames to true. To create a firewall
endpoint that doesn't support jumbo frames, set this field to false. For
information about the packet sizes supported by firewall endpoints, see
Supported packet size.
To learn how to apply or remove a Terraform configuration, see Basic Terraform commands.
Project-level endpoint
You can create a firewall endpoint at the project level. These endpoints support both organization-level and project-level security profile groups.
gcloud
To create a firewall endpoint, use the gcloud beta network-security
firewall-endpoints create
command:
gcloud beta network-security firewall-endpoints create NAME \
--project PROJECT_ID \
--zone ZONE \
--enable-jumbo-frames
Replace the following:
NAME: the name of the firewall endpoint.PROJECT_ID: the project where the endpoint is activated.ZONE: the zone where the endpoint is activated.
To create a firewall endpoint that supports jumbo frames up to 8,500 bytes
in size, use the optional --enable-jumbo-frames flag. Skip this
flag to create an endpoint without jumbo frame support. For
information about the packet sizes supported by firewall endpoints, see
Supported packet size.
To associate the firewall endpoint to a VPC network, see Create firewall endpoint associations.
Create a firewall endpoint association
A firewall endpoint association connects a firewall endpoint to a VPC network in a specific zone. This association ensures that traffic matching an interception rule for the associated network in that zone is inspected by the firewall endpoint.
Ensure that you have a firewall endpoint before you create an association.
Association requirements
When you configure endpoint associations, follow these requirements:
- Zone constraints: You must create the association in the same zone as the firewall endpoint. For effective traffic inspection, create associations in zones where your compute instances are deployed.
- One endpoint per zone: In a single zone, you can associate a VPC network with only one firewall endpoint (either project-level (Preview) or organization-level). However, you can associate a single VPC network with different firewall endpoints across multiple, different zones.
- Cross-project associations: You can associate a VPC
network with a firewall endpoint in a separate project.
- If you use a project-level endpoint (Preview), the endpoint's project must reside in the same organization as the VPC network.
- Resource mapping: An association is a project-level resource. You create the association within the specific project where your compute instances are deployed, even if the association points to an organization-level firewall endpoint.
A firewall endpoint with jumbo frame support can accept packets only up to 8,500 bytes. Alternatively, a firewall endpoint without jumbo frame support can accept packets only up to 1,460 bytes. If you need URL filtering service or intrusion detection and prevention service, we recommend that you configure the associated VPC networks to use the maximum transmission unit (MTU) limits of 8,500 bytes and 1,460 bytes. For more information, see Supported packet size.
Console
In the Google Cloud console, go to the Firewall endpoints page.
In the project selector menu, select your Google Cloud project.
Click Create endpoint association.
In the Region list, select the region where you want to create the firewall endpoint association.
In the Zone list, select the zone where you want to create the firewall endpoint association.
In the Firewall endpoint list, select the firewall endpoint that you want to add to the association.
In the Network list, select the network that you want to add to the association.
In the TLS inspection policy list, select the TLS inspection policy that you want to add to this association.
Click Create.
gcloud
To create a firewall endpoint association, use the
gcloud network-security firewall-endpoint-associations create command.
Organization-level firewall endpoint
gcloud network-security firewall-endpoint-associations \
create NAME \
--endpoint organizations/ORGANIZATION_ID/locations/ZONE/firewallEndpoints/FIREWALL_ENDPOINT_NAME \
--network projects/PROJECT_NAME/global/networks/NETWORK_NAME \
--zone ZONE \
--project PROJECT_ID \
[ --tls-inspection-policy projects/TLS_PROJECT_NAME/locations/REGION_NAME/tlsInspectionPolicies/TLS_POLICY_NAME ]
Project-level firewall endpoint
gcloud beta network-security firewall-endpoint-associations \
create NAME \
--endpoint projects/ENDPOINT_PROJECT_ID/locations/ZONE/firewallEndpoints/FIREWALL_ENDPOINT_NAME \
--network projects/PROJECT_NAME/global/networks/NETWORK_NAME \
--zone ZONE \
--project PROJECT_ID \
[ --tls-inspection-policy projects/TLS_PROJECT_NAME/locations/REGION_NAME/tlsInspectionPolicies/TLS_POLICY_NAME ]
Replace the following:
NAME: the name of the firewall endpoint association.ORGANIZATION_ID: the organization identifier where the organization-level firewall endpoint is created.ENDPOINT_PROJECT_ID: the Google Cloud project ID where the project-level firewall endpoint is created.ZONE: the zone of the firewall endpoint.FIREWALL_ENDPOINT_NAME: the name of the firewall endpoint.PROJECT_NAME: the Google Cloud project name of the network.NETWORK_NAME: the name of the network.PROJECT_ID: the Google Cloud project ID where the association is created. This should be the project where you want to intercept traffic.TLS_PROJECT_NAME: the Google Cloud project name of the TLS inspection policy.REGION_NAME: the region name of the TLS inspection policy.TLS_POLICY_NAME: the name of the TLS inspection policy.This policy is used for the TLS inspection of the encrypted traffic on the specified network. This is an optional argument.