A firewall endpoint is a zonal resource that provides Layer 7 inspection for your traffic. A firewall endpoint association lets you associate the endpoint with one or more VPC networks in the same zone.
This page explains how to manage firewall endpoints and their associations with a Virtual Private Cloud (VPC) network by using the Google Cloud console and the gcloud CLI.
Before you begin
Before you manage firewall endpoints and associations, complete the following:
- Ensure that you have a VPC network and a subnet.
- Enable the required APIs:
- Compute Engine API (Compute Engine API) in your Google Cloud project.
- Network Security API in the Google Cloud project that you want to use for billing.
- Certificate Authority Service API in your Google Cloud project.
- Install the gcloud CLI if you want to run
gcloudcommand-line examples.
Roles and permissions
To get the permissions that you need to view, update, or delete firewall endpoints and associations, ask your administrator to grant you the necessary Identity and Access Management (IAM) roles on your organization or project. For more information, see Manage access.
To check the progress of the operations listed on this page, ensure that
your user account has the
Compute Network User (roles/compute.networkUser)
role, which includes the following permissions:
networksecurity.operations.getnetworksecurity.operations.list
Quotas
To view quotas for firewall endpoints and associations, see Quotas and limits.
Manage firewall endpoints
In this section, learn to manage firewall endpoints.
List and view details of a firewall endpoint
To list all firewall endpoints, use the Google Cloud console or the gcloud CLI.
You can view the endpoint details such as:
- The zone where the endpoint is deployed
- The current state of the endpoint
- The jumbo frames support status
- The billing project (for organization-level endpoints only)
- The endpoint associations
Console
In the Google Cloud console, go to the Firewall endpoints page.
In the project selector menu, select your organization or the project where the endpoint exists.
If you select an organization, the Firewall endpoints page lists the firewall endpoints in the organization.
If you select a project, the Firewall endpoints located in this project section lists the project's firewall endpoints.
Click the name of the firewall endpoint to view its details.
gcloud
To list all firewall endpoints, use the gcloud network-security
firewall-endpoints list
command:
gcloud network-security firewall-endpoints list \
--organization ORGANIZATION_ID | --project PROJECT_ID \
--location LOCATION \
[--billing-project QUOTA_PROJECT_ID]
To view details of a firewall endpoint, use the gcloud network-security
firewall-endpoints describe
command:
gcloud network-security firewall-endpoints describe NAME \
--organization ORGANIZATION_ID | --project PROJECT_ID \
--location LOCATION
Replace the following:
NAME: the name of the firewall endpoint.ORGANIZATION_ID: the organization ID where the firewall endpoint exists. Use this flag for an organization-level endpoint.PROJECT_ID: the project ID where the firewall endpoint exists. Use this flag for a project-level endpoint.LOCATION: the zone where the endpoint exists.QUOTA_PROJECT_ID: the quota project ID. Use this flag only for organization-level endpoints.
Update a firewall endpoint
To update a firewall endpoint, use the Google Cloud console or the gcloud CLI.
You can update the following key details of an endpoint:
- The billing project (available for organization-level endpoints only)
- The labels of the endpoint
- The description of the endpoint
You can't change any of the following details:
- The status of jumbo frames support
- The name of the endpoint
- The zone of the endpoint
- The organization or project of the endpoint
To change the previous details, delete the endpoint and create another.
Console
In the Google Cloud console, go to the Firewall endpoints page.
In the project selector menu, select your organization or the project where the endpoint exists.
If you select an organization, the Firewall endpoints page lists all the configured firewall endpoints in the organization.
If you select a project, the Firewall endpoints located in this project section of the Firewall endpoints page lists all firewall endpoints of the project.
Click the name of the firewall endpoint to view its details.
Click Edit.
Update the fields.
Click Save.
gcloud
To update a firewall endpoint, use the gcloud network-security
firewall-endpoints update command:
gcloud network-security firewall-endpoints update NAME \
--organization ORGANIZATION_ID | --project PROJECT_ID \
--location LOCATION \
[--update-billing-project QUOTA_PROJECT_ID]
Replace the following:
NAME: the name of the firewall endpoint.ORGANIZATION_ID: the organization ID. Use this flag for an organization-level endpoint.PROJECT_ID: the project ID. Use this flag for a project-level endpoint.LOCATION: the zone where the endpoint exists.QUOTA_PROJECT_ID: the quota project ID. Use this flag only for organization-level endpoints.
For information about the packet sizes supported by firewall endpoints, see Supported packet size.
Delete a firewall endpoint
To delete a firewall endpoint, use the Google Cloud console or the gcloud CLI.
Before you delete a firewall endpoint, consider the following:
- You can delete a firewall endpoint only if it is not associated with any VPC network.
- If firewall policy rules direct traffic to this endpoint, deleting the endpoint stops traffic inspection. All Layer 7 inspection services that the endpoint provides for associated networks in that zone also stop.
- Deleting an endpoint in one zone affects only traffic and associations within that specific zone.
Console
In the Google Cloud console, go to the Firewall endpoints page.
In the project selector menu, select your organization or the project where the endpoint exists.
If you select an organization, the Firewall endpoints page lists all configured firewall endpoints in the organization.
If you select a project, the Firewall endpoints located in this project section of the Firewall endpoints page lists all firewall endpoints of the project.
Select the firewall endpoint, and then click Delete.
Click Delete again to confirm.
gcloud
To delete a firewall endpoint, use the gcloud network-security firewall-endpoints delete
command:
gcloud network-security firewall-endpoints delete NAME \
--organization ORGANIZATION_ID | --project PROJECT_ID \
--location LOCATION
Replace the following:
NAME: the name of the firewall endpoint.ORGANIZATION_ID: the organization ID. Use this flag for an organization-level endpoint.PROJECT_ID: the project ID. Use this flag for a project-level endpoint.LOCATION: the zone where the endpoint exists.
Manage firewall endpoint associations
A firewall endpoint association connects a firewall endpoint to a VPC network in a specific zone.
Ensure that you have a firewall endpoint before you manage its associations. To create an association, see Create firewall endpoints and associations.
Association requirements
When you configure endpoint associations, follow these requirements:
- Zone constraints: You must create the association in the same zone as the firewall endpoint. For effective traffic inspection, create associations in zones where your compute instances are deployed.
- One endpoint per zone: In a single zone, you can associate a VPC network with only one firewall endpoint (either project-level or organization-level). However, you can associate a single VPC network with different firewall endpoints across multiple, different zones.
- Cross-project associations: You can associate a VPC network with a firewall endpoint in a separate project. If you use a project-level endpoint, the endpoint's project must reside in the same organization as the VPC network.
- Resource mapping: An association is a project-level resource. You create the association within the specific project where your compute instances are deployed, even if the association points to an organization-level firewall endpoint.
A firewall endpoint with jumbo frame support can accept packets only up to 8,500 bytes. Alternatively, a firewall endpoint without jumbo frame support can accept packets only up to 1,460 bytes. If you need URL filtering service or intrusion detection and prevention service, we recommend that you configure the associated VPC networks to use the maximum transmission unit (MTU) limits of 8,500 bytes and 1,460 bytes. For more information, see Supported packet size.
List and view a firewall endpoint association
To list and view firewall endpoint associations, use the Google Cloud console or the gcloud CLI.
You can view the following details for an endpoint association:
- The lifecycle status
- The active status
- The TLS inspection status
- The ID of the firewall endpoint
Console
In the Google Cloud console, go to the Firewall endpoints page.
In the project selector menu, select your Google Cloud project.
In the Firewall endpoint associations section, the table lists all firewall endpoint associations of organization-level and project-level endpoints.
gcloud
To list firewall endpoint associations for a specific network, use the
gcloud network-security firewall-endpoint-associations list command
with the --filter flag.
gcloud network-security firewall-endpoint-associations list \
--filter network:NETWORK_NAME \
[--project PROJECT_ID]
To view a firewall endpoint association, use the gcloud network-security firewall-endpoint-associations describe
command:
gcloud network-security firewall-endpoint-associations describe NAME \
--filter network:NETWORK_NAME \
[--project PROJECT_ID]
Replace the following:
NAME: the name of the firewall endpoint association.PROJECT_ID: the project ID where the association exists.NETWORK_NAME: the name of the VPC network.
Update a firewall endpoint association
To update a firewall endpoint association, use the Google Cloud console or the gcloud CLI.
You can update the following details:
- The activation state
- The associated TLS inspection policy
- The labels and description
You can't update the following details:
- The firewall endpoint and the VPC network connected by this association
- The name, project, or zone of the association
To change these details, delete the association and create another.
Console
In the Google Cloud console, go to the Firewall endpoints page.
In the project selector menu, select your Google Cloud project.
In the Firewall endpoint associations section, the table lists all the configured firewall endpoint associations for this project.
Next to the firewall endpoint association that you want to update, click Edit.
To disable the firewall endpoint association, clear the Enable association checkbox.
To update the TLS inspection policy, select a new policy from the TLS inspection policy list.
Click Save.
gcloud
To update a firewall endpoint association, use the
gcloud network-security firewall-endpoint-associations update command.
gcloud network-security firewall-endpoint-associations update NAME \
--project PROJECT_ID \
[ --disabled ] \
[ --tls-inspection-policy projects/TLS_PROJECT_NAME/locations/REGION_NAME/tlsInspectionPolicies/TLS_POLICY_NAME ] \
--location LOCATION
Replace the following:
NAME: the name of the firewall endpoint association.PROJECT_ID: the project ID where the association is created.TLS_PROJECT_NAME: the project name of the TLS inspection policy.REGION_NAME: the region name of the TLS inspection policy.TLS_POLICY_NAME: the name of the TLS inspection policy.LOCATION: the location of the firewall endpoint association.
Delete a firewall endpoint association
To delete a firewall endpoint association, use the Google Cloud console or the gcloud CLI.
When a Google Cloud project is deleted, its associated firewall endpoint associations are automatically removed. This deletion is irreversible, even if the project is later restored.
However, the deletion process for these associations might sometimes fail.
If this happens and the project is restored, the associated firewall
endpoints appear in ORPHAN state within the restored project. This
indicates the broken link between the project and its resources due to
the unsuccessful deletion.
You can view these orphaned associations in the Google Cloud console, but you can't edit them. Cloud Next Generation Firewall periodically runs a background process that deletes these orphaned resources.
Console
In the Google Cloud console, go to the Firewall endpoints page.
In the project selector menu, select your Google Cloud project.
In the Firewall endpoint associations section, the table lists all the configured firewall endpoint associations for this project.
Select the firewall endpoint association, and then click Delete.
Click Delete again to confirm.
gcloud
To delete a firewall endpoint association, use the gcloud network-security
firewall-endpoint-associations delete
command.
gcloud network-security firewall-endpoint-associations delete NAME \
--project PROJECT_ID \
--location LOCATION
Replace the following:
NAME: the name of the firewall endpoint association.PROJECT_ID: the project ID where the association exists.LOCATION: the location of the firewall endpoint association.
What's next
- Create firewall endpoints and associations
- Use hierarchical firewall policies and rules
- Use global network firewall policies and rules