This page assumes that you are familiar with the concepts described in the Regional network firewall policies.
Firewall policy tasks
This section describes how to create, associate, and manage regional network firewall policies.
Create a regional network firewall policy
When you create a regional network firewall policy using the Google Cloud console, you can associate the policy with a region and Virtual Private Cloud (VPC) network during creation. If you create the policy using the Google Cloud CLI, you must associate the policy with a region and network after you create the policy.
The VPC network with which the regional network firewall policy is associated must be in the same project as the regional network firewall policy.
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector menu, select your project within your organization.
Click Create firewall policy.
In the Policy name field, enter a policy name.
For Deployment scope, select Regional. Select the region where you want to create this firewall policy.
To create rules for your policy, click Continue.
In the Add rules section, click Create firewall rule. For more information about creating firewall rules, see the following:
If you want to associate the policy with a network, click Continue.
In the Associate policy with networks section, click Associate.
For more information, see Associate a policy with a network.
Click Create.
gcloud
gcloud compute network-firewall-policies create \
NETWORK_FIREWALL_POLICY_NAME \
--description DESCRIPTION \
--region=REGION_NAME
Replace the following:
NETWORK_FIREWALL_POLICY_NAME: a name for the policyDESCRIPTION: a description for the policyREGION_NAME: the region for the policy
Associate a policy with a network
You can associate a regional network firewall policy with a region of a VPC network and apply the rules in the policy to that network region.
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector menu, select your project that contains your policy.
Click your policy.
Click the Associations tab.
Click Add association.
Select the networks within the project.
Click Associate.
gcloud
gcloud compute network-firewall-policies associations create \
--firewall-policy POLICY_NAME \
--firewall-policy-region=POLICY_REGION \
--network NETWORK_NAME \
--name ASSOCIATION_NAME
Replace the following:
POLICY_NAME: the short name or the system-generated name of the policy.POLICY_REGION: the region of the policy that contains the rule.NETWORK_NAME: the name of the associated network.ASSOCIATION_NAME: an optional name for the association. If unspecified, the name is set tonetwork-NETWORK_NAME.
Delete an association
To stop enforcement of a firewall policy on a network, delete the association.
However, if you intend to swap out one firewall policy for another, you need not delete the existing association first. Deleting that association leaves a period of time where neither policy is enforced. Instead, replace the existing policy when you associate a new policy.
To delete an association between a regional network firewall policy and a region of a VPC network, follow the steps mentioned in this section. Rules in the regional network firewall policy don't apply to new connections after its association is deleted.
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector menu, select your project or the folder that contains the policy.
Click your policy.
Click the Associations tab.
Select the association that you want to delete.
Click Remove association.
gcloud
gcloud compute network-firewall-policies associations delete \
--name ASSOCIATION_NAME \
--firewall-policy POLICY_NAME \
--firewall-policy-region=POLICY_REGION
Describe a regional network firewall policy
You can view details about a regional network firewall policy, including the policy rules and associated rule attributes. All these rule attributes are counted as part of the rule attribute quota. For more information, see "Rule attributes per regional network firewall policy" in the Per firewall policy table. In addition, you can view the priorities of the existing VPC network associations.
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector menu, select your project that contains the regional network firewall policy.
Click your policy.
gcloud
gcloud compute network-firewall-policies describe POLICY_NAME \
--region=REGION_NAME
Update a regional network firewall policy description
The only policy field that can be updated is the Description field.
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector menu, select your project that contains the regional network firewall policy.
Click your policy.
Click Edit.
In the Description field, modify the description.
Click Save.
gcloud
gcloud compute network-firewall-policies update POLICY_NAME \
--description DESCRIPTION \
--region=REGION_NAME
List regional network firewall policies
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector menu, select your project that contains the policy.
The Network firewall policies section shows the policies available in your project.
gcloud
gcloud compute network-firewall-policies list \
--regions=LIST_OF_REGIONS
Delete a regional network firewall policy
Before you can delete a regional network firewall policy, you must delete all of its associations.
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector menu, select your project that contains the policy.
Click the policy that you want to delete.
Click the Associations tab.
Select all associations.
Click Remove association.
After all associations are removed, click Delete.
gcloud
Use the following command to delete the policy:
gcloud compute network-firewall-policies delete POLICY_NAME \
--region=REGION_NAME
Firewall policy rule tasks
This section describes how to create and manage regional network firewall policy rules.
Create an ingress rule for VM targets
This section describes how to create an ingress rule that applies to network interfaces of Compute Engine instances.
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector list, select a project that contains a regional network firewall policy.
In the Network firewall policies section, click the name of a regional network firewall policy in which you want to create a rule.
In the Firewall rules section, click Create firewall rule and specify the following configuration parameters:
Priority: the numeric evaluation order of the rule.
The rules are evaluated from highest to lowest priority where
0is the highest priority. Priorities must be unique for each rule. We recommend that you separate rule priority values by more than just a difference of one (for example,100,200,300) so that you can create new rules between the existing rules later.Description: provide an optional description.
Direction of traffic: select Ingress.
Action on match: select one of the following:
- Allow: to permit connections that match the rule parameters.
- Deny: to block connections that match the rule parameters.
- Go to next: to continue the firewall rule evaluation process.
Logs: select On to enable firewall rules logging or Off to disable firewall rules logging for this rule.
Target: select one of the following:
- Apply to all: Cloud NGFW uses the broadest instance targets.
-
Service accounts: narrows the broadest
instance targets to the network interfaces of VM instances that use the
service account you specify:
- In the Service account scope section, select In this project > Target service account. This is to specify a service account in the same project as the regional network firewall policy.
- In the Service account scope section, select In another project > Target service account. This is to specify a service account in a Shared VPC service project.
- Secure tags: narrows the broadest instance targets to the network interfaces of VM instances that are bound to at least one of the secure tag values that you specify. Click Select scope for tags and select the organization or project that contains the tag values to match. To add more tag values, click Add tag.
Source network type: specify a network type:
- To skip filtering inbound traffic by network type, select All network types.
- To filter inbound traffic to a specific network type, select
Specific network type, and then select a network type:
- Internet: inbound traffic must match the Internet network type for ingress packets.
- Non-internet: inbound traffic must match the Non-internet network type for ingress packets.
- Intra VPC: inbound traffic must match the Criteria for intra-VPC network type.
- VPC networks: inbound traffic must match
the Criteria for VPC networks
type.
You must select at least one VPC network:
- Select current project: lets you add one or more VPC network from the project that contains the firewall policy.
- Manually enter network: lets you manually enter a project and VPC network.
- Select project: lets you select a project from which you can select a VPC network.
Source filters: specify additional source parameters. Some source parameters can't be used together, and your choice of source network type limits which source parameters you can use. For more information, see Sources for ingress rules and Ingress rule source combinations.
- To filter inbound traffic by source IPv4 ranges, select IPv4,
and then enter the CIDR blocks in the IP ranges field. Use
0.0.0.0/0for any IPv4 source. - To filter inbound traffic by source IPv6 ranges, select IPv6,
and then enter the CIDR blocks into the IPv6 ranges field. Use
::/0for any IPv6 source. - To filter inbound traffic by source secure tag values, select Select scope for tags in the Secure tags section. Then, provide tag keys and tag values. To add more tag values, click Add tag.
- To filter inbound traffic by source FQDN, enter FQDNs in the FQDNs field. For more information, see FQDN objects.
- To filter inbound traffic by source geolocation, select one or more locations from the Geolocations field. For more information, see Geolocation objects.
- To filter inbound traffic by source address group, select one or more address groups from the Address groups field. For more information, see Address groups for firewall policies.
- To filter inbound traffic by source Google Threat Intelligence lists, select one or more Google Threat Intelligence lists from the Google Cloud Threat Intelligence field. For more information, see Google Threat Intelligence for firewall policy rules.
- To filter inbound traffic by source IPv4 ranges, select IPv4,
and then enter the CIDR blocks in the IP ranges field. Use
Destination: specify optional destination parameters. For more information, see Destinations for ingress rules.
- To skip filtering inbound traffic by destination IP address, select None.
- To filter inbound traffic to by destination IP address, select IPv4 or IPv6 and then enter one or more CIDRs using the same format used for source IPv4 ranges or source IPv6 ranges.
Protocols and ports: specify the protocols and destination ports for traffic to match the rule. For more information, see Protocols and ports.
Enforcement: specify whether the firewall rule is enforced or not:
- Enabled: creates the rule and begins enforcing the rule on new connections.
- Disabled: creates the rule but doesn't enforce the rule on new connections.
Click Create.
gcloud
gcloud compute network-firewall-policies rules create PRIORITY \
--firewall-policy=POLICY_NAME \
--project=PROJECT_ID \
--firewall-policy-region=POLICY_REGION \
--description=DESCRIPTION \
--direction=INGRESS \
--action=ACTION \
[--enable-logging | --no-enable-logging] \
[--disabled | --no-disabled] \
[--target-secure-tags=TARGET_SECURE_TAGS] \
[--target-service-accounts=TARGET_SERVICE_ACCOUNTS] \
[--layer4-configs=LAYER_4_CONFIGS] \
[--src-network-type=SRC_NETWORK_TYPE] \
[--src-networks=SRC_VPC_NETWORKS] \
[--src-ip-ranges=SRC_IP_RANGES] \
[--src-address-groups=SRC_ADDRESS_GROUPS] \
[--src-fqdns=SRC_DOMAIN_NAMES] \
[--src-secure-tags=SRC_SECURE_TAGS] \
[--src-region-codes=SRC_COUNTRY_CODES] \
[--src-threat-intelligence=SRC_THREAT_LIST_NAMES] \
[--dest-ip-ranges=DEST_IP_RANGES]
Replace the following:
PRIORITY: the numeric evaluation order of the rule within the policy. The rules are evaluated from highest to lowest priority, where0is the highest priority. Priorities must be unique for each rule. We recommend that you separate rule priority values by more than just a difference of one (for example,100,200,300) so that you can create new rules between the existing rules later.POLICY_NAME: the name of the regional network firewall policy in which you want to create the rule.PROJECT_ID: the project ID that contains the regional network firewall policy.POLICY_REGION: the region of the policy.DESCRIPTION: an optional description for the new rule.-
ACTION: specify one of the following actions:allow: allows connections that match the rule.deny: denies connections that match the rule.goto_next: continues the firewall rule evaluation process.
- The
--enable-loggingand--no-enable-loggingflags enable or disable Firewall Rules Logging. - The
--disabledand--no-disabledflags control whether the rule is disabled (not enforced) or enabled (enforced). -
Specify a target:
- If you omit both the
--target-secure-tagsand--target-service-accountsflags, Cloud NGFW uses the broadest instance targets. TARGET_SECURE_TAGS: a comma-separated list of secure tag values that narrows the broadest instance targets to the network interfaces of VM instances that are bound to at least one of the secure tag values.TARGET_SERVICE_ACCOUNTS: a comma-separated list of service accounts that narrows the broadest instance targets to the network interfaces of VM instances that use one of the service accounts.
- If you omit both the
LAYER_4_CONFIGS: a comma-separated list of Layer 4 configs. Each Layer 4 config can be one of the following:- An IP protocol name (
tcp) or IANA IP protocol number (17) without any destination port. - An IP protocol name and destination port separated by a colon
(
tcp:80). - An IP protocol name and destination port range separated by a colon
using a dash to separate the beginning and ending destination ports
(
tcp:5000-6000). For more information, see Protocols and ports.
- An IP protocol name (
-
Specify a source for the ingress
rule.
For more information, Ingress rule source
combinations:
SRC_NETWORK_TYPE: defines a source network types to be used in conjunction with another supported source parameter to produce a source combination. Valid values when--target-type=INSTANCESare:INTERNET,NON_INTERNET,VPC_NETWORKS, orINTRA_VPC. For more information, see Network types.SRC_VPC_NETWORKS: a comma-separated list of VPC networks specified by their URL identifiers. Specify this flag only when the--src-network-typeisVPC_NETWORKS.SRC_IP_RANGES: a comma-separated list of IP address ranges in CIDR format. Ranges in the list must all be either IPv4 CIDRs or IPv6 CIDRs, not a combination of both.SRC_ADDRESS_GROUPS: a comma-separated list of address groups specified by their unique URL identifiers. Address groups in the list must contain all IPv4 addresses or all IPv6 addresses, not a combination of both.SRC_DOMAIN_NAMES: a comma-separated list of FQDN objects specified in the domain name format.SRC_SECURE_TAGS: a comma-separated list of Tags. You cannot use the--src-secure-tagsflag if the--src-network-typeisINTERNET.SRC_COUNTRY_CODES: a comma-separated list of two-letter country codes. For more information, see Geolocation objects. You cannot use the--src-region-codesflag if the--src-network-typeisNON_INTERNET,VPC_NETWORKS, orINTRA_VPC.SRC_THREAT_LIST_NAMES: a comma-separated list of names of Google Threat Intelligence lists. For more information, see Google Threat Intelligence for firewall policy rules. You cannot use the--src-threat-intelligenceflag if the--src-network-typeisNON_INTERNET,VPC_NETWORKS, orINTRA_VPC.
-
Optionally, specify a destination for the ingress
rule:
DEST_IP_RANGES: a comma-separated list of IP address ranges in CIDR format. Ranges in the list must all be either IPv4 CIDRs or IPv6 CIDRs, not a combination of both.
Create an ingress rule for internal load balancer targets
To restrict access to one or more internal Application Load Balancer or internal proxy Network Load Balancer
forwarding rules, create at least two ingress rules with
--target-type=INTERNAL_MANAGED_LB. This is necessary because the
implied action
for internal Application Load Balancer and internal proxy Network Load Balancer targets allows ingress.
The rules needed to restrict access are:
- A lower priority ingress deny firewall rule with
--src-ip-ranges=0.0.0.0/0. - A higher priority ingress allow firewall rule with the source parameters you specify.
This section describes how to create an ingress rule for internal Application Load Balancers and internal proxy Network Load Balancer targets.
gcloud
gcloud beta compute network-firewall-policies rules create PRIORITY \
--firewall-policy=POLICY_NAME \
--project=PROJECT_ID \
--firewall-policy-region=POLICY_REGION \
--description=DESCRIPTION \
--direction=INGRESS \
--action=ACTION \
[--enable-logging | --no-enable-logging] \
[--disabled | --no-disabled] \
--target-type=INTERNAL_MANAGED_LB \
[--target-forwarding-rules=TARGET_FORWARDING_RULES] \
[--layer4-configs=LAYER_4_CONFIGS] \
[--src-network-type=SRC_NETWORK_TYPE] \
[--src-networks=SRC_VPC_NETWORKS] \
[--src-ip-ranges=SRC_IP_RANGES] \
[--src-address-groups=SRC_ADDRESS_GROUPS] \
[--src-fqdns=SRC_DOMAIN_NAMES] \
[--dest-ip-ranges=DEST_IP_RANGES]
Replace the following:
PRIORITY: the numeric evaluation order of the rule within the policy. The rules are evaluated from highest to lowest priority, where0is the highest priority. Priorities must be unique for each rule. We recommend that you separate rule priority values by more than just a difference of one (for example,100,200,300) so that you can create new rules between the existing rules later.POLICY_NAME: the name of the regional network firewall policy in which you want to create the rule.PROJECT_ID: the project ID that contains the regional network firewall policy.POLICY_REGION: the region of the policy.DESCRIPTION: an optional description for the new rule.-
ACTION: specify one of the following actions:allow: allows connections that match the rule.deny: denies connections that match the rule.goto_next: continues the firewall rule evaluation process.
- The
--enable-loggingand--no-enable-loggingflags enable or disable Firewall Rules Logging. - The
--disabledand--no-disabledflags control whether the rule is disabled (not enforced) or enabled (enforced). -
Specify a target:
- If you omit the
--target-forwarding-rulesflag, Cloud NGFW uses the broadest load balancer targets. TARGET_FORWARDING_RULES: a single forwarding rule for an internal Application Load Balancer or internal proxy Network Load Balancer specified in the target forwarding rules format. This parameter narrows the broadest load balancer targets to a specific internal Application Load Balancer or internal proxy Network Load Balancer.
- If you omit the
LAYER_4_CONFIGS: a comma-separated list of Layer 4 configs. Each Layer 4 config can be one of the following:- An IP protocol name (
tcp) or IANA IP protocol number (17) without any destination port. - An IP protocol name and destination port separated by a colon
(
tcp:80). - An IP protocol name and destination port range separated by a colon
using a dash to separate the beginning and ending destination ports
(
tcp:5000-6000). For more information, see Protocols and ports.
- An IP protocol name (
-
Specify a source for the ingress
rule.
For more information, Ingress rule source
combinations:
SRC_NETWORK_TYPE: defines a source network types to be used in conjunction with another supported source parameter to produce a source combination. Valid values when--target-type=INTERNAL_MANAGED_LBareVPC_NETWORKSorINTRA_VPC. For more information, see Network types.SRC_VPC_NETWORKS: a comma-separated list of VPC networks specified by their URL identifiers. Specify this flag only when the--src-network-typeisVPC_NETWORKS.SRC_IP_RANGES: a comma-separated list of IP address ranges in CIDR format. Ranges in the list must all be either IPv4 CIDRs or IPv6 CIDRs, not a combination of both.SRC_ADDRESS_GROUPS: a comma-separated list of address groups specified by their unique URL identifiers. Address groups in the list must contain all IPv4 addresses or all IPv6 addresses, not a combination of both.SRC_DOMAIN_NAMES: a comma-separated list of FQDN objects specified in the domain name format.
-
Optionally, specify a destination for the ingress
rule:
DEST_IP_RANGES: a comma-separated list of IP address ranges in CIDR format. Ranges in the list must all be either IPv4 CIDRs or IPv6 CIDRs, not a combination of both.
Create an egress rule for VM targets
The following directions show how to create an egress rule. Egress rules only apply to targets that are network interfaces of Compute Engine instances.
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector list, select a project that contains a regional network firewall policy.
In the Network firewall policies section, click the name of a regional network firewall policy in which you want to create a rule.
In the Firewall rules section, click Create firewall rule and specify the following configuration parameters:
Priority: the numeric evaluation order of the rule.
The rules are evaluated from highest to lowest priority where
0is the highest priority. Priorities must be unique for each rule. We recommend that you separate rule priority values by more than just a difference of one (for example,100,200,300) so that you can create new rules between the existing rules later.Description: provide an optional description.
Direction of traffic: select Egress.
Action on match: select one of the following:
- Allow: to permit connections that match the rule parameters.
- Deny: to block connections that match the rule parameters.
- Go to next: to continue the firewall rule evaluation process.
Logs: select On to enable firewall rules logging or Off to disable firewall rules logging for this rule.
Target: select one of the following:
- Apply to all: Cloud NGFW uses the broadest instance targets.
-
Service accounts: narrows the broadest
instance targets to the network interfaces of VM instances that use the
service account you specify:
- In the Service account scope section, select In this project > Target service account. This is to specify a service account in the same project as the regional network firewall policy.
- In the Service account scope section, select In another project > Target service account. This is to specify a service account in a Shared VPC service project.
- Secure tags: narrows the broadest instance targets to the network interfaces of VM instances that are bound to at least one of the secure tag values that you specify. Click Select scope for tags and select the organization or project that contains the tag values to match. To add more tag values, click Add tag.
Destination network type: specify a network type:
- To skip filtering outgoing traffic by network type, select All network types.
- To filter outgoing traffic to a specific network type, select
Specific network type, and then select a
network type:
- Internet: outgoing traffic must match the Internet network type for egress packets.
- Non-internet: outgoing traffic must match the Non-internet network type for egress packets.
Destination filters: specify additional destination parameters. Some destination parameters can't be used together, and your choice of destination network type limits which destination filters you can use. For more information, see Destinations for egress rules and Egress rule destination combinations.
- To filter outgoing traffic by destination IPv4 ranges, select IPv4, and
then enter the CIDR blocks in the IP ranges field. Use
0.0.0.0/0for any IPv4 destination. - To filter outgoing traffic by destination IPv6 ranges, select IPv6, and
then enter the CIDR blocks into the IPv6 ranges field. Use
::/0for any IPv6 destination. - To filter outgoing traffic by destination FQDN, enter FQDNs in the FQDNs field. For more information, see FQDN objects.
- To filter outgoing traffic by destination geolocation, select one or more locations from the Geolocations field. For more information, see Geolocation objects.
- To filter outgoing traffic by destination address group, select one or more address groups from the Address groups field. For more information, see Address groups for firewall policies.
- To filter outgoing traffic by destination Google Threat Intelligence lists, select one or more Google Threat Intelligence lists from the Google Cloud Threat Intelligence field. For more information, see Google Threat Intelligence for firewall policy rules.
- To filter outgoing traffic by destination IPv4 ranges, select IPv4, and
then enter the CIDR blocks in the IP ranges field. Use
Source: specify optional source parameters. For more information, see Sources for egress rules.
- To skip filtering outgoing traffic by source IP address, select None.
- To filter outgoing traffic to by source IP address, select IPv4 or IPv6 and then enter one or more CIDRs using the same format used for destination IPv4 ranges or destination IPv6 ranges.
Protocols and ports: specify the protocols and destination ports for traffic to match the rule. For more information, see Protocols and ports.
Enforcement: specify whether the firewall rule is enforced or not:
- Enabled: creates the rule and begins enforcing the rule on new connections.
- Disabled: creates the rule but doesn't enforce the rule on new connections.
Click Create.
gcloud
gcloud compute network-firewall-policies rules create PRIORITY \
--firewall-policy=POLICY_NAME \
--project=PROJECT_ID \
--firewall-policy-region=POLICY_REGION \
--description=DESCRIPTION \
--direction=EGRESS \
--action=ACTION \
[--enable-logging | --no-enable-logging] \
[--disabled | --no-disabled] \
[--target-secure-tags=TARGET_SECURE_TAGS] \
[--target-service-accounts=TARGET_SERVICE_ACCOUNTS] \
[--layer4-configs=LAYER_4_CONFIGS] \
[--dest-network-type=DEST_NETWORK_TYPE] \
[--dest-ip-ranges=DEST_IP_RANGES] \
[--dest-address-groups=DEST_ADDRESS_GROUPS] \
[--dest-fqdns=DEST_DOMAIN_NAMES] \
[--dest-region-codes=DEST_COUNTRY_CODES] \
[--dest-threat-intelligence=DEST_THREAT_LIST_NAMES] \
[--src-ip-ranges=SRC_IP_RANGES]
Replace the following:
PRIORITY: the numeric evaluation order of the rule within the policy. The rules are evaluated from highest to lowest priority, where0is the highest priority. Priorities must be unique for each rule. We recommend that you separate rule priority values by more than just a difference of one (for example,100,200,300) so that you can create new rules between the existing rules later.POLICY_NAME: the name of the regional network firewall policy in which you want to create the rule.PROJECT_ID: the project ID that contains the regional network firewall policy.POLICY_REGION: the region of the policy.DESCRIPTION: an optional description for the new rule.-
ACTION: specify one of the following actions:allow: allows connections that match the rule.deny: denies connections that match the rule.goto_next: continues the firewall rule evaluation process.
- The
--enable-loggingand--no-enable-loggingflags enable or disable Firewall Rules Logging. - The
--disabledand--no-disabledflags control whether the rule is disabled (not enforced) or enabled (enforced). -
Specify a target:
- If you omit both the
--target-secure-tagsand--target-service-accountsflags, Cloud NGFW uses the broadest instance targets. TARGET_SECURE_TAGS: a comma-separated list of secure tag values that narrows the broadest instance targets to the network interfaces of VM instances that are bound to at least one of the secure tag values.TARGET_SERVICE_ACCOUNTS: a comma-separated list of service accounts that narrows the broadest instance targets to the network interfaces of VM instances that use one of the service accounts.
- If you omit both the
LAYER_4_CONFIGS: a comma-separated list of Layer 4 configs. Each Layer 4 config can be one of the following:- An IP protocol name (
tcp) or IANA IP protocol number (17) without any destination port. - An IP protocol name and destination port separated by a colon
(
tcp:80). - An IP protocol name and destination port range separated by a colon
using a dash to separate the beginning and ending destination ports
(
tcp:5000-6000). For more information, see Protocols and ports.
- An IP protocol name (
-
Specify a destination for the egress
rule.
For more information, Egress rule destination
combinations:
DEST_NETWORK_TYPE: defines a destination network types to be used in conjunction with another supported destination parameter to produce a destination combination. Valid values areINTERNETandNON_INTERNET. For more information, see Network types.DEST_IP_RANGES: a comma-separated list of IP address ranges in CIDR format. Ranges in the list must all be either IPv4 CIDRs or IPv6 CIDRs, not a combination of both.DEST_ADDRESS_GROUPS: a comma-separated list of address groups specified by their unique URL identifiers.DEST_DOMAIN_NAMES: a comma-separated list of FQDN objects specified in the domain name format.DEST_COUNTRY_CODES: a comma-separated list of two-letter country codes. For more information, see Geolocation objects.DEST_THREAT_LIST_NAMES: a comma-separated list of names of Google Threat Intelligence lists. For more information, see Google Threat Intelligence for firewall policy rules.
-
Optionally, specify a source for the egress
rule:
SRC_IP_RANGES: a comma-separated list of IP address ranges in CIDR format. Ranges in the list must all be either IPv4 CIDRs or IPv6 CIDRs, not a combination of both.
Update a rule
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector menu, select your project that contains the regional network firewall policy.
Click the name of the regional network firewall policy that contains the rule to update.
Click the priority of the rule.
Click Edit.
Modify the firewall rule fields that you want to change. For descriptions about each field, see one of the following:
Click Save.
gcloud
gcloud compute network-firewall-policies rules update PRIORITY \
--firewall-policy=POLICY_NAME \
--firewall-policy-region=POLICY_REGION \
[...other flags that you want to modify...]
Replace the following:
PRIORITY: the priority number that uniquely identifies the rule.POLICY_NAME: the name of the policy that contains the rule.POLICY_REGION: the region of the policy that contains the rule.
Supply the flags that you want to modify. For flag descriptions, see one of the following:
Describe a rule
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector menu, select your project that contains the policy.
Click your policy.
Click the priority of the rule.
gcloud
gcloud compute network-firewall-policies rules describe PRIORITY \
--firewall-policy=POLICY_NAME \
--firewall-policy-region=POLICY_REGION
Replace the following:
PRIORITY: the priority number that uniquely identifies the rule.POLICY_NAME: the name of the policy that contains the rule.POLICY_REGION: the region of the policy that contains the rule.
Delete a rule
Deleting a rule from a policy causes the rule to no longer apply to new connections to or from the rule's target.
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector menu, select your project that contains the policy.
Click your policy.
Select the rule that you want to delete.
Click Delete.
gcloud
gcloud compute network-firewall-policies rules delete PRIORITY \
--firewall-policy=POLICY_NAME \
--firewall-policy-region=POLICY_REGION
Replace the following:
PRIORITY: the priority number that uniquely identifies the rule.POLICY_NAME: the name of the policy that contains the rule.POLICY_REGION: the region of the policy that contains the rule.
Clone rules from one policy to another
Cloning copies the rules from a source policy to a target policy, replacing all existing rules in the target policy.
Console
In the Google Cloud console, go to the Firewall policies page.
In the project selector menu, select your project that contains the policy.
Click the policy that you want to copy rules from.
Click Clone at the top of the screen.
Provide the name of a target policy.
If you want to associate the new policy immediately, click Continue > Associate.
In the Associate policy with VPC networks page, select the networks and click Associate.
Click Continue.
Click Clone.
gcloud
gcloud compute network-firewall-policies clone-rules TARGET_POLICY \
--region=TARGET_POLICY_REGION \
--source-firewall-policy=SOURCE_POLICY
Replace the following:
TARGET_POLICY: the name of the target policy.TARGET_POLICY_REGION: the region of the target policy.SOURCE_POLICY: the URL of the source policy.
Get effective firewall rules for a region of a network
You can view all hierarchical firewall policy rules, VPC firewall rules, global network firewall policy rules, and regional network firewall policy rules that apply to a specific region of a VPC network.
gcloud
gcloud compute network-firewall-policies get-effective-firewalls \
--region=REGION_NAME \
--network=NETWORK_NAME
Replace the following:
REGION_NAME: the region for which you want to view the effective rules.NETWORK_NAME: the network for which you want to view the effective rules.