You can use Cloud Next Generation Firewall to protect your workloads against external threats from the internet and internal threats within your network.
This document defines the core concepts and terms that explain how Cloud NGFW works and evaluates rules.
Firewall policy rules
In Cloud NGFW, a firewall policy rule is the fundamental unit of security configuration. It defines the criteria to allow, deny, or inspect traffic. For more information, see Firewall policy rules.
Firewall policies
A firewall policy is a container that groups multiple firewall rules. For more information, see Firewall policies.
Cloud NGFW supports the following policy types, depending on their location in the resource hierarchy:
- Hierarchical firewall policies: these policies contain rules defined at the organization or folder level for multiple Virtual Private Cloud (VPC) networks in one or more projects.
- Global network firewall policies: these policies contain rules for all regions of a specific VPC network.
- Regional network firewall policies: these policies contain rules for a specific region of a VPC network.
- Regional system firewall policies: these policies contain Google-managed rules for a specific region of a VPC network. You can't modify a rule in a regional system firewall policy.
When you create a hierarchical firewall policy or a network firewall policy, Google Cloud adds some predefined rules to the policy.
Firewall policy association
Before you can use the rules in a firewall policy, you must associate the policy with a resource. The association method depends on the policy type:
- Hierarchical firewall policies: associate hierarchical policies with a Google Cloud organization or folder.
- Global network firewall policies: associate global network firewall policies with one or more VPC networks in the same project as the firewall policy.
- Regional network firewall policies: associate regional network firewall policies with a single region of one or more VPC networks in the same project as the firewall policy.
After you associate a firewall policy with a resource, the rules in the policy apply to matched traffic.
How Cloud NGFW works
Cloud NGFW evaluates firewall policy rules, VPC firewall rules, and implied actions. For more information, see Evaluation order for firewall policies and rules.
VPC firewall rules
VPC firewall rules let you manage network layer (Layer 3 and Layer 4) traffic for a single VPC network.
VPC firewall rules offer fewer features than firewall policy rules. As a best practice, use firewall policies instead of VPC firewall rules. For more information, see VPC firewall rules.
Core components of a firewall policy rule
To configure a firewall policy rule, define the following components:
Direction: specifies the direction of traffic flow from the perspective of the target resource.
- Ingress: specifies whether the firewall policy rule applies to inbound traffic. For more information, see Ingress rules.
- Egress: specifies whether the rule applies to outbound traffic. For more information, see Egress rules.
Priority: a unique integer that determines the evaluation order of rules within a policy. Lower integers indicate higher priorities. For more information, see Priority.
Criteria: match conditions for a network packet, such as protocols, IP addresses, and port numbers.
Target type: the type of Google Cloud resource the firewall rule protects. You can configure firewall policy rules to apply to virtual machine (VM) instances (default) or managed Envoy proxies that internal Application Load Balancers and internal proxy Network Load Balancers (Preview) use.
Target: applies the rule to specific targets.
Source: mandatory for ingress rules, and optional for egress rules. For more information, see Sources.
Destination: mandatory for egress rules, and optional for ingress rules. For more information, see Destinations.
Protocol and ports: the communication protocol and destination ports. For more information, see Protocols and ports.
Action: the action Cloud NGFW takes when a network packet matches the rule criteria. For more information, see Action on match.
To explore all rule components for a standard VPC network, see Firewall policy rule components.
Cloud NGFW tiers
Google Cloud organizes Cloud NGFW capabilities into multiple tiers to align with different security and pricing requirements. For more information, see Cloud NGFW tiers.
Network layer inspection
For basic protection, Cloud NGFW inspects network traffic at Layer 3 and Layer 4 of the Open Systems Interconnection (OSI) model.
All Cloud NGFW tiers use distributed, stateful Layer 3 and Layer 4 filtering. The firewall tracks active connection states and evaluates packets against a connection tracking table.
Application layer inspection
For advanced protection, Cloud NGFW can inspect your traffic at the application layer (Layer 7) of the OSI model. This inspection allows the firewall to make decisions based on application-level data, rather than only IP addresses and ports. Examples of application layer inspection include services such as the URL filtering service and the intrusion detection and prevention service. Application layer inspection features are available only in the Cloud Next Generation Firewall Enterprise tier. For more information, see Application layer inspection overview.
What's next
- For conceptual information about Cloud NGFW, see Cloud NGFW overview.
- For conceptual information about firewall policy rules, see Firewall policy rule components.
- To create, update, monitor, or delete VPC firewall rules, see Use VPC firewall rules.
- To determine costs, see Cloud NGFW pricing.