To control network traffic within specific regions, use regional network firewall policies and their rules. This page provides instructions to clone, list, describe, view, update, and delete regional network firewall policy associations and rules.
Before you read this page, ensure you are familiar with the concepts described in the Regional network firewall policies.
Firewall policy tasks
This section describes how to manage regional network firewall policies.
Describe a regional network firewall policy
You can view details about a regional network firewall policy, including the policy rules and associated rule attributes. All these rule attributes are counted as part of the rule attribute quota. For more information, see "Rule attributes per regional network firewall policy" in the Per firewall policy table. In addition, you can view the priorities of the existing VPC network associations.
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector menu, select your project that contains the regional network firewall policy.
Click your policy.
gcloud
gcloud compute network-firewall-policies describe POLICY_NAME \
--region=REGION_NAME
Update a regional network firewall policy description
The only policy field that can be updated is the Description field.
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector menu, select your project that contains the regional network firewall policy.
Click your policy.
Click Edit.
In the Description field, modify the description.
Click Save.
gcloud
gcloud compute network-firewall-policies update POLICY_NAME \
--description DESCRIPTION \
--region=REGION_NAME
List regional network firewall policies
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector menu, select your project that contains the policy.
The Network firewall policies section shows the policies available in your project.
gcloud
gcloud compute network-firewall-policies list \
--regions=LIST_OF_REGIONS
Replace LIST_OF_REGIONS with a comma-separated list of
regions for which you want to list the policies.
Delete the network association
To stop enforcement of a firewall policy on a network, delete the association.
However, if you intend to swap out one firewall policy for another, you need not delete the existing association first. Deleting that association leaves a period of time where neither policy is enforced. Instead, replace the existing policy when you associate a new policy.
To delete an association between a regional network firewall policy and a region of a VPC network, follow the steps mentioned in this section. Rules in the regional network firewall policy don't apply to new connections after its association is deleted.
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector menu, select your project or the folder that contains the policy.
Click your policy.
Click the Associations tab.
Select the association that you want to delete.
Click Remove association.
gcloud
gcloud compute network-firewall-policies associations delete \
--name ASSOCIATION_NAME \
--firewall-policy POLICY_NAME \
--firewall-policy-region=POLICY_REGION
Delete a regional network firewall policy
Before you can delete a regional network firewall policy, you must delete all of its associations.
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector menu, select your project that contains the policy.
Click the policy that you want to delete.
Click the Associations tab.
Select all associations.
Click Remove association.
After all associations are removed, click Delete.
gcloud
Use the following command to delete the policy:
gcloud compute network-firewall-policies delete POLICY_NAME \
--region=REGION_NAME
Replace the following:
POLICY_NAME: the name of the regional network firewall policy.REGION_NAME: the region of the regional network firewall policy.
Firewall policy rule tasks
This section describes how to manage regional network firewall policy rules.
Clone rules from one policy to another
Cloning copies the rules from a source policy to a target policy, replacing all existing rules in the target policy.
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector menu, select your project that contains the policy.
Click the policy that you want to copy rules from.
Click Clone at the top of the screen.
Provide the name of a target policy.
If you want to associate the new policy immediately, click Continue > Associate.
In the Associate policy with VPC networks page, select the networks and click Associate.
Click Continue.
Click Clone.
gcloud
gcloud compute network-firewall-policies clone-rules TARGET_POLICY \
--region=TARGET_POLICY_REGION \
--source-firewall-policy=SOURCE_POLICY
Replace the following:
TARGET_POLICY: the name of the target policy.TARGET_POLICY_REGION: the region of the target policy.SOURCE_POLICY: the URL of the source policy.
Describe a rule
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector menu, select your project that contains the policy.
Click your policy.
Click the priority of the rule.
gcloud
gcloud compute network-firewall-policies rules describe PRIORITY \
--firewall-policy=POLICY_NAME \
--firewall-policy-region=POLICY_REGION
Replace the following:
PRIORITY: the priority number that uniquely identifies the rule.POLICY_NAME: the name of the policy that contains the rule.POLICY_REGION: the region of the policy that contains the rule.
Update a rule
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector menu, select your project that contains the regional network firewall policy.
Click the name of the regional network firewall policy that contains the rule to update.
Click the priority of the rule.
Click Edit.
Modify the firewall rule fields that you want to change. For descriptions about each field, see one of the following:
Click Save.
gcloud
gcloud compute network-firewall-policies rules update PRIORITY \
--firewall-policy=POLICY_NAME \
--firewall-policy-region=POLICY_REGION \
[...other flags that you want to modify...]
Replace the following:
PRIORITY: the priority number that uniquely identifies the rule.POLICY_NAME: the name of the policy that contains the rule.POLICY_REGION: the region of the policy that contains the rule.
Supply the flags that you want to modify. For flag descriptions, see one of the following:
Delete a rule
Deleting a rule from a policy causes the rule to no longer apply to new connections to or from the rule's target.
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector menu, select your project that contains the policy.
Click your policy.
Select the rule that you want to delete.
Click Delete.
gcloud
gcloud compute network-firewall-policies rules delete PRIORITY \
--firewall-policy=POLICY_NAME \
--firewall-policy-region=POLICY_REGION
Replace the following:
PRIORITY: the priority number that uniquely identifies the rule.POLICY_NAME: the name of the policy that contains the rule.POLICY_REGION: the region of the policy that contains the rule.
Get effective firewall rules for a region of a network
You can view all hierarchical firewall policy rules, VPC firewall rules, global network firewall policy rules, and regional network firewall policy rules that apply to a specific region of a VPC network.
gcloud
gcloud compute network-firewall-policies get-effective-firewalls \
--region=REGION_NAME \
--network=NETWORK_NAME
Replace the following:
REGION_NAME: the region for which you want to view the effective rules.NETWORK_NAME: the network for which you want to view the effective rules.
What's next
- Regional network firewall policies
- Hierarchical firewall policies
- Create global network firewall policies and rules