Understand network types

The following sections describe how Cloud Next Generation Firewall classifies traffic using network types. For more information about network types, see Network types.

Criteria for internet network type

This section describes the criteria that Cloud Next Generation Firewall uses to determine whether a packet belongs to the internet network type.

Internet network type for ingress packets

Ingress packets routed to a virtual machine (VM) network interface by a Google Maglev belong to the internet network type. Packets are routed by a Maglev to a VM network interface when the packet destination matches one of the following:

• A regional external IPv4 address of a VM network interface, forwarding rule of an external passthrough Network Load Balancer, or forwarding rule for external protocol forwarding.
• A regional external IPv6 address of a VM network interface, forwarding rule of an external passthrough Network Load Balancer, or forwarding rule for external protocol forwarding, and the packet was not routed using a local subnet route or a subnet route that was imported by VPC Network Peering or from a VPC spoke on a Network Connectivity Center hub.

For more information about packets routed by Maglev to backend VMs for an external passthrough Network Load Balancer or external protocol forwarding, see Paths for external passthrough Network Load Balancers and external protocol forwarding.

Internet network type for egress packets

Most egress packets sent from VM network interfaces, routed by a static route whose next hop is the default internet gateway, belong to the internet network type. However, if the destination IP addresses of these egress packets are for global Google APIs and services, these packets belong to the non-internet network type. For more information about connectivity to global Google APIs and services, see Non-internet network type.

When the packets are routed using a static route whose next hop is the default internet gateway, any packets sent by the VM network interfaces to the following destinations belong to the internet network type:

• An external IP address destination outside of Google's network.
• A regional external IPv4 address destination of a VM network interface, forwarding rule of a regional external load balancer, or forwarding rule for external protocol forwarding.
• A regional external IPv6 address destination of a VM network interface, forwarding rule of a regional external load balancer, or forwarding rule for external protocol forwarding.
• A global external IPv4 and IPv6 address destination of a forwarding rule of a global external load balancer.

Packets sent by the VM network interfaces to Cloud VPN and Cloud NAT gateways belong to the internet network type:

• Egress packets sent from a network interface of a VM running Cloud VPN software to a Cloud VPN gateway's regional external IPv4 address belong to the internet network type.
• Egress packets sent from one Cloud VPN gateway to another Cloud VPN gateway don't belong to any network type because firewall rules don't apply to Cloud VPN gateways.
• For Public NAT, response packets sent from a VM network interface to a Cloud NAT gateway's regional external IPv4 address belong to the internet network type.

If VPC networks are connected using VPC Network Peering or if VPC networks participate as VPC spokes on the same Network Connectivity Center hub, IPv6 subnet routes can provide connectivity to regional external IPv6 address destinations of VM network interfaces, regional external load balancer forwarding rules, and external protocol forwarding rules. When the connectivity to those regional external IPv6 address destinations is provided using a subnet route, the destinations are in the non-internet network type instead.

Criteria for non-internet network type

This section describes the criteria that Cloud NGFW uses to determine whether a packet belongs to the non-internet network type.

Non-internet network type for ingress packets

Ingress packets belong to the non-internet network type if the packets are routed to the network interface of a VM instance or to an internal load balancer forwarding rule in one of the following ways:

• The packets are routed by using a subnet route, and the packet destinations match one of the following:
  • A regional internal IPv4 or IPv6 address destination of a VM network interface, forwarding rule of an internal load balancer, or forwarding rule for internal protocol forwarding.
  • A regional external IPv6 address destination of a VM network interface, forwarding rule of a regional external load balancer, or forwarding rule for external protocol forwarding.
• The packets are routed by using a static route to a next hop VM instance or next hop internal passthrough Network Load Balancer.
• The packets are routed by using a policy-based route to a next hop internal passthrough Network Load Balancer.
• The packets are routed by using one of the following special routing paths:
  • From a second-layer Google Front End used by a global external Application Load Balancer, classic Application Load Balancer, global external proxy Network Load Balancer, or classic proxy Network Load Balancer. For more information, see Paths between Google Front Ends and backends.
  • From a health check prober. For more information, see Paths for health checks.
  • From Identity-Aware Proxy for TCP forwarding. For more information, see Paths for Identity-Aware Proxy (IAP).
  • From Cloud DNS or Service Directory. For more information, see Paths for Cloud DNS and Service Directory.
  • From Serverless VPC Access. For more information, see Paths for Serverless VPC Access.
  • From a Private Service Connect endpoint for global Google APIs. For more information, see Paths for Private Service Connect endpoints for global Google APIs.

Ingress response packets from global Google APIs and services also belong to the non-internet network type. Response packets from global Google APIs and services can have any of the following sources:

• An IP address for the default domains used by global Google APIs and services.
• An IP address for private.googleapis.com or restricted.googleapis.com.
• A Private Service Connect endpoint for global Google APIs.

Non-internet network type for egress packets

Egress packets sent from VM network interfaces belong to the non-internet network type if the packets are routed in one of the following ways:

• The packets are routed by using a subnet route, and the packet destinations match one of the following:
  • A regional internal IPv4 or IPv6 address destination of a VM network interface, forwarding rule of an internal load balancer, or forwarding rule for internal protocol forwarding.
  • A regional external IPv6 address destination of a VM network interface, forwarding rule of a regional external load balancer, or forwarding rule for external protocol forwarding.
• The packets are routed by using dynamic routes.
• The packets are routed by using static routes that use a next hop that is not the default internet gateway.
• The packets are routed by using static routes that use the default internet gateway next hop and the packet destinations match one of the following:
  • An IP address for the default domains used by global Google APIs and services.
  • An IP address for private.googleapis.com or restricted.googleapis.com.
• The packets are routed by using a policy-based route to a next hop internal passthrough Network Load Balancer.
• The packets are routed by using one of the following special routing paths:
  • Paths between second-layer Google Front Ends and backends
  • Paths for health checks
  • Paths for Identity-Aware Proxy (IAP)
  • Paths for Cloud DNS and Service Directory
  • Paths for Serverless VPC Access
  • Paths for Private Service Connect endpoints for global Google APIs

Criteria for VPC networks type

This section describes the criteria that Cloud NGFW uses to determine whether a packet belongs to the VPC networks type.

A packet matches an ingress rule that uses the VPC networks type in its source combination if all of the following conditions are true:

• The packet matches at least one of the other source parameters.

• The packet is sent by a resource located in one of the source VPC networks.

• The source VPC network and the VPC network to which the firewall policy containing the ingress rule applies are the same VPC network, or are connected either by using VPC Network Peering or as VPC spokes on a Network Connectivity Center hub.

The following resources are located in a VPC network:

• VM network interfaces
• Cloud VPN tunnels
• Cloud Interconnect VLAN attachments
• Router appliances
• Envoy proxies in a proxy-only subnet
• Private Service Connect endpoints
• Serverless VPC Access connectors

Criteria for intra-VPC network type

This section describes the criteria that Cloud NGFW uses to determine whether a packet belongs to the intra-VPC network type.

A packet matches an ingress rule that uses the intra-VPC type in its source combination if all of the following conditions are true:

• The packet matches at least one of the other source parameters.

• The packet is sent by a resource located in the VPC network to which the firewall policy containing the ingress rule applies.

The following resources are located in a VPC network:

• VM network interfaces
• Cloud VPN tunnels
• Cloud Interconnect VLAN attachments
• Router appliances
• Envoy proxies in a proxy-only subnet
• Private Service Connect endpoints
• Serverless VPC Access connectors