Firewall policies let you group several firewall rules so that you can update them all at once, effectively controlled by Identity and Access Management (IAM) roles. These policies contain rules that can explicitly deny or allow connections, as do Virtual Private Cloud (VPC) firewall rules.
Hierarchical firewall policies
Hierarchical firewall policies let you group rules into a policy object that can apply to many VPC networks in one or more projects. You can associate hierarchical firewall policies with an entire organization or individual folders.
For hierarchical firewall policy specifications and details, see Hierarchical firewall policies.
Global network firewall policies
Global network firewall policies let you group rules into a policy object that can apply to all regions of a VPC network.
For global network firewall policy specifications and details, see Global network firewall policies.
Regional network firewall policies
Regional network firewall policies let you group rules into a policy object that can apply to a specific region of a VPC network.
For regional firewall policy specifications and details, see Regional network firewall policies.
Regional system firewall policies
Regional system firewall policies are similar to regional network firewall policies, but they are managed by Google. Regional system firewall policies have the following characteristics:
Google Cloud evaluates rules in regional system firewall policies immediately after evaluating rules in hierarchical firewall policies. For more information, see Firewall rule evaluation process.
You can't modify a rule in a regional system firewall policy, except to enable or disable firewall rule logging. Instead, Google services like Google Kubernetes Engine (GKE) manage rules in regional system firewall policies using internal APIs.
Google Cloud creates a regional system firewall policy in a region of a VPC network when a Google service requires rules in that region of the network. Google Cloud can associate more than one regional system firewall policy with a region of a VPC network based on the requirements of Google services.
You aren't charged for the evaluation of rules in regional system firewall policies.
Network profile interaction
Regular VPC networks support firewall rules in hierarchical firewall policies, global network firewall policies, regional network firewall policies, and VPC firewall rules. All firewall rules are programmed as part of the Andromeda network virtualization stack.
VPC networks that use certain network profiles restrict the firewall policies and rule attributes that you can use. For RoCE VPC networks, see Cloud NGFW for RoCE VPC networks instead of this page.
What's next
- To create and modify hierarchical firewall policies and rules, see Use hierarchical firewall policies and rules.
- To see examples of hierarchical firewall policy implementations, see Hierarchical firewall policy examples.
- To create and modify global network firewall policies and rules, see Use global network firewall policies and rules.
- To create and modify regional network firewall policies and rules, see Use regional network firewall policies and rules.