Use regional network firewall policies to protect internal Application Load Balancers and internal proxy Network Load Balancers

You can configure rules in Cloud Next Generation Firewall (Cloud NGFW) firewall policies that apply to managed Envoy proxies used by internal Application Load Balancer and internal proxy Network Load Balancer. These proxies run in a proxy-only subnet.

Internal Application Load Balancers and internal proxy Network Load Balancers have the following firewall rule requirements and options:

• Firewall rules that apply to the load balancer backends: if you use instance group or GCE_VM_IP_PORT zonal NEG backends, you must configure firewall rules that allow the managed Envoy proxies to connect to the backend VMs.

• Firewall rules that apply to the managed Envoy proxies: these firewall rules apply to the managed Envoy proxies. The rules provide optional access control to load balancer forwarding rules, which is useful when the load balancer uses regional internet NEGs or Private Service Connect NEGs.

This document describes how to set up the firewall rules that apply to the managed Envoy proxies.

Create the load balancing resources

Before you configure firewall rules and policies, set up the environment and load balancing resources, such as a Virtual Private Cloud (VPC) network, a subnet, a load balancer with its backends and a forwarding rule, and a client VM instance for testing connectivity.

To create and configure the resources for your chosen load balancer, see the following documents:

• Set up a cross-region internal Application Load Balancer with VM instance group backends
• Set up a regional internal Application Load Balancer with VM instance group backends
• Set up a cross-region internal proxy Network Load Balancer with VM instance group backends
• Set up a regional internal proxy Network Load Balancer with VM instance group backends

After creating the resources, record the following details. You will use these details to configure firewall rules and policies later in this document:

• The region of the load balancer
• The name and IP address of the forwarding rule
• The name of the VPC network
• The name, zone, and IP address of the client VM instance that you created to test load balancer connectivity

Create Cloud NGFW resources

1. Create a regional network firewall policy in the same region as the load balancer. For more information, see Create a regional network firewall policy.

2. Associate the firewall policy with the VPC network.

   For a firewall policy's rules to apply to a load balancer forwarding rule, you must associate the policy with the VPC network where that forwarding rule exists. This association activates the firewall policy's rules on the VPC network.

3. To control the traffic that reaches the load balancer, create ingress firewall rules in a regional network firewall policy. Unlike VM targets, ingress is allowed when no firewall rules apply to the managed Envoy proxies used by internal Application Load Balancers and internal proxy Network Load Balancers. To restrict access to one or more load balancer forwarding rules, you must create at least two ingress firewall rules with --target-type INTERNAL_MANAGED_LB:

   • A lower priority ingress deny firewall rule with --src-ip-ranges=0.0.0.0/0.

   • A higher priority ingress allow firewall rule with --src-ip-ranges set to the approved source IP address ranges.

   • A higher priority ingress allow firewall rule with --src-ip-ranges set to the IP addresses of the Google health check probes for the managed Envoy proxies. For more information, see Probe IP ranges and firewall rules in the Health checks overview.

   • View firewall logs. For more information, see View logs.

Limitations

When you use Cloud NGFW firewall policies to protect load balancer backends, the following limitations apply:

• Load balancers support ingress firewall rules to inspect traffic coming from the client. The firewall rules are configured to evaluate traffic destined for the load balancer's virtual IP (VIP) address. The egress traffic, which flows from the backend instances to the load balancer over the proxy-only subnet, is allowed by the firewall rules.

• Load balancers don't support Hierarchical firewall policies. Only network firewall policies are supported.

• Firewall policy rules to protect load balancer backends support only the TCP protocol.

• Load balancers don't support the following Cloud NGFW features:

  • Geolocation
  • Network threat intelligence (NTI)
  • Destination IP range specification
  • Port specification

• A firewall rule can target either a single forwarding rule or all forwarding rules in the VPC network. You can't configure a firewall rule to target a specific list of multiple forwarding rules.

• Firewall rules with target-type set to INTERNAL_MANAGED_LB can use the VPC_NETWORKS or INTRA_VPC network types, but can't use the INTERNET or NON_INTERNET network types.

• The load balancers support firewall policies with VPC_NETWORKS and INTRA_VPC network types. VPC_NETWORKS specifies source traffic from defined VPCs. INTRA_VPC specifies source traffic within the same VPC.