VPC firewall rules logging overview

VPC firewall rules logging lets you audit, verify, and analyze the effects of your VPC firewall rules. For example, you can determine if a VPC firewall rule designed to deny traffic is functioning as intended. VPC firewall rules logging is also useful if you need to determine how many connections are affected by a given VPC firewall rule.

You enable VPC firewall rules logging individually for each VPC firewall rule whose connections you need to log. VPC firewall rules logging is an option for any VPC firewall rule, regardless of the action (allow or deny) or direction (ingress or egress) of the rule.

VPC firewall rules logging logs traffic to and from Compute Engine virtual machine (VM) instances. This includes Google Cloud products built on Compute Engine VMs, such as Google Kubernetes Engine (GKE) clusters and Google Kubernetes Engine flexible environment instances.

When you enable logging for a VPC firewall rule, Google Cloud creates an entry called a connection record each time the rule allows or denies traffic. You can view these records in Cloud Logging, and you can export logs to any destination that Cloud Logging export supports.

Each connection record contains the source and destination IP addresses, the protocol and ports, date and time, and a reference to the VPC firewall rule that applied to the traffic.

For information about viewing logs, see Manage VPC firewall rules logging.

Specifications

VPC firewall rules logging has the following specifications:

• Supported deployments: you can enable VPC firewall rules logging for VPC firewall rule within hierarchical, global network, regional network, and regional system firewall policies associated with a regular VPC network, and regional network firewall policies associated with a RoCE VPC network.

• Unsupported rules: VPC firewall rules logging is not supported for rules in legacy networks, Implied deny ingress and implied allow egress rules in a regular VPC network, or Implied allow ingress and egress rules of an RoCE VPC network.

• Protocol support: VPC firewall rules logging only records TCP and UDP connections. If you want to monitor other protocols, consider using Out-of-band integration.

• Connection-based logging: VPC firewall rules logging are created when a connection is established, not for every individual packet. A connection remains active as long as packets are exchanged at least once every 10 minutes. Each new packet resets the idle timer. Therefore, a continuous stream of traffic generates only one log entry for its entire duration. If you need continuous visibility into active, long-lived streams without idle periods, use VPC Flow Logs.

• Existing connections: if you enable logging on a rule that matches an already active TCP or UDP connection, a new log entry is not generated. The VPC firewall rule logs the connection only if it remains idle for at least 10 minutes and a new packet is subsequently sent.

• Allow and deny behavior:

  • Allow + Logging: an allowed connection is logged only once, and the entry is not repeated even if the connection endures, because firewall rules are stateful, reply traffic is allowed automatically and is not logged.

  • Deny + Logging: each dropped packet corresponding to a unique 5-tuple is logged as a failed attempt. The log entry repeats every 5 seconds as long as packets are observed for that denied connection.

• Log generation perspective: log entries are only created if a VPC firewall rule has logging enabled and if the rule applies to traffic sent to or from the VM. Entries are created subject to the connection logging limits.

• Rate limits: the number of connections logged per unit of time is determined by the VM's machine type for regular VPC networks, or by the monitoring or logging action of the rule for RoCE VPC networks. For more information, see Connection logging limits and Monitoring and logging

• Legacy scope: VPC firewall rules logging applies only to legacy VPC firewall rules operating within a regular VPC network.

• Protocol limits: legacy VPC firewall rules logging supports setting the IP protocol field to ALL.

• Audit logs: you can view configuration changes to the VPC firewall rule in VPC audit logs. For more information, see VPC audit logs.

Limitations

VPC firewall rules logging is a legacy format and doesn't support logging for advanced Cloud NGFW metadata fields such as the following:

• source_region_code
• destination_region_code
• source_fqdn
• destination_fqdn
• source_threat_intelligence
• destination_threat_intelligence
• source_address_groups
• destination_address_groups
• source_secure_tag
• target_secure_tag

What's next

• Manage VPC firewall rules logging.
• VPC firewall rules logging examples.
• VPC firewall rules logging format.
• Cloud Logging overview.