This page explains how to manage a firewall endpoint and associate it with a Virtual Private Cloud (VPC) network by using the Google Cloud console and Google Cloud CLI. For more information, see Firewall endpoint overview.
For information on how to create a firewall endpoint, see Create firewall endpoints.
To check the progress of the operations listed on this page,
make sure that your user role has the following
Compute Network User
(roles/compute.networkUser) permissions:
networksecurity.operations.getnetworksecurity.operations.list
Before you begin
You need a VPC network and a subnet.
You must enable the Compute Engine API in your Google Cloud project.
You must enable the Network Security API in the Google Cloud project that you want to use for billing.
You must enable the Certificate Authority Service API in your Google Cloud project.
Install the gcloud CLI if you want to run the
gcloudcommand-line examples in this guide.
Roles
To get the permissions that you need to create, view, update, or delete firewall endpoints, ask your administrator to grant you the necessary IAM roles on your organization or project. For more information about granting roles, see Manage access.
Quotas
To view quotas for firewall endpoints and associations, see Quotas and limits.
View a firewall endpoint
You can view the details of a specific firewall endpoint.
Organization-level endpoints
To view the details of an organization-level firewall endpoint, use the Google Cloud console or the gcloud CLI.
Console
In the Google Cloud console, go to the Firewall endpoints page.
In the project selector menu, select your organization where the endpoint was activated.
The Firewall endpoints page lists all the configured firewall endpoints in the organization.
Click the name of the firewall endpoint to view its details.
gcloud
To view details of a firewall endpoint, use the gcloud network-security
firewall-endpoints describe
command:
gcloud network-security firewall-endpoints \
describe NAME \
--organization ORGANIZATION_ID \
--zone ZONE
Replace the following:
NAME: the name of the firewall endpoint.ORGANIZATION_ID: the organization where the endpoint is activated.ZONE: the zone where the endpoint is activated.
Project-level endpoints
To view the details of a project-level firewall endpoint, use the gcloud CLI.
gcloud
To view details of a firewall endpoint, use the gcloud beta network-security
firewall-endpoints describe
command:
gcloud beta network-security firewall-endpoints \
describe NAME \
--project PROJECT_ID \
--zone ZONE
Replace the following:
NAME: the name of the firewall endpoint.PROJECT_ID: the project where the endpoint is activated.ZONE: the zone where the endpoint is activated.
List firewall endpoints
You can list all the firewall endpoints in an organization or a project.
Organization-level endpoints
To list all organization-level firewall endpoints, use the Google Cloud console or the gcloud CLI.
Console
In the Google Cloud console, go to the Firewall endpoints page.
In the project selector menu, select your organization where the endpoint was activated.
The Firewall endpoints page lists all the configured firewall endpoints.
gcloud
To list all firewall endpoints, use the gcloud network-security
firewall-endpoints list
command:
gcloud network-security firewall-endpoints list \
--organization ORGANIZATION_ID \
--zone ZONE \
--billing-project BILLING_PROJECT_ID
Replace the following:
ORGANIZATION_ID: the organization where the endpoint is activated.ZONE: the zone where the endpoint is activated. To list endpoints in all zones, use-.BILLING_PROJECT_ID: an optional Google Cloud project ID that will be charged quota for the operation. This is required only for organization-level firewall endpoints.
Project-level endpoints
To list all project-level firewall endpoints, use the gcloud CLI.
gcloud
To list all firewall endpoints, use the gcloud beta network-security
firewall-endpoints list
command:
gcloud beta network-security firewall-endpoints list \
--project PROJECT_ID \
--zone ZONE
Replace the following:
PROJECT_ID: the project where the endpoint is activated.ZONE: the zone where the endpoint is activated. To list endpoints in all zones, use-.
Update a firewall endpoint
You can manage labels or update the description for a firewall endpoint.
Organization-level endpoint
To update an organization-level firewall endpoint, use the Google Cloud console or the gcloud CLI. You can also update the billing project of a firewall endpoint in an organization.
Console
In the Google Cloud console, go to the Firewall endpoints page.
In the project selector menu, select your organization where the endpoint was activated.
The Firewall endpoints page lists all the configured firewall endpoints.
Click the name of the firewall endpoint to view its details.
Click Edit.
In the Billing project list, select the Google Cloud project that you want to use for billing the firewall endpoint.
Click Save.
gcloud
To update a firewall endpoint, use the gcloud network-security
firewall-endpoints update
command:
gcloud network-security firewall-endpoints \
update NAME \
--organization ORGANIZATION_ID \
--zone ZONE \
--billing-project BILLING_PROJECT_ID
Replace the following:
NAME: the name of the firewall endpoint.ORGANIZATION_ID: the organization where the endpoint is activated.ZONE: the zone where the endpoint is activated.BILLING_PROJECT_ID: the Google Cloud project ID that you want to associate with this firewall endpoint for billing. This is required only for organization-level firewall endpoints.
For information about the packet sizes supported by firewall endpoints, see Supported packet size.
Project-level endpoint
To update a project-level firewall endpoint, use the gcloud CLI. You can manage labels or update the description for a firewall endpoint.
gcloud
To update a firewall endpoint, use the gcloud beta network-security
firewall-endpoints update
command:
gcloud beta network-security firewall-endpoints \
update NAME \
--project PROJECT_ID \
--zone ZONE
Replace the following:
NAME: the name of the firewall endpoint.PROJECT_ID: the project where the endpoint is activated.ZONE: the zone where the endpoint is activated.
For information about the packet sizes supported by firewall endpoints, see Supported packet size.
Delete a firewall endpoint
You can delete a firewall endpoint by specifying its name, zone, and organization or project.
Organization-level endpoints
To delete an organization-level firewall endpoint, use the Google Cloud console or the gcloud CLI.
Console
In the Google Cloud console, go to the Firewall endpoints page.
In the project selector menu, select your organization where the endpoint was activated.
Select the firewall endpoint, and then click Delete.
Click Delete again to confirm.
gcloud
To delete a firewall endpoint, use the gcloud network-security
firewall-endpoints delete
command:
gcloud network-security firewall-endpoints delete NAME
--organization ORGANIZATION_ID \
--zone ZONE
Replace the following:
NAME: the name of the firewall endpoint.ORGANIZATION_ID: the organization where the endpoint is activated.ZONE: the zone where the endpoint is activated.
Project-level endpoints
To delete a project-level firewall endpoint, use the gcloud CLI.
gcloud
To delete a firewall endpoint, use the gcloud network-security
firewall-endpoints delete
command:
gcloud beta network-security firewall-endpoints delete NAME
--project PROJECT_ID \
--zone ZONE
Replace the following:
NAME: the name of the firewall endpoint.PROJECT_ID: the project where the endpoint is activated.ZONE: the zone where the endpoint is activated.
What's next
- Manage firewall endpoint associations
- Use hierarchical firewall policies and rules
- Use global network firewall policies and rules