This page describes the VPC firewall rules logging structure in Cloud Logging. When a Virtual Private Cloud (VPC) rule with logging enabled applies to traffic to or from a virtual machine (VM) instance, Cloud Logging creates a log entry. Log records appear in the JSON payload field of a Logging LogEntry.
Firewall log records consist of base fields, which are the core fields of every log record, and an optional metadata fields. To reduce storage costs, you can exclude metadata fields.
Some log fields can contain other fields as values. For example, the
connection field uses the IpConnection format, which includes the source and
destination IP address and port, and the protocol, in a single field.
The following table describes the log fields supported for VPC firewall rules.
| Field name | Field type: base or optional metadata | Description |
|---|---|---|
connection |
IpConnection | 5-Tuple describing the source and destination IP address, source and destination port, and IP protocol of this connection. |
disposition |
Base | Indicates whether the connection was ALLOWED or
DENIED. |
rule_details.reference |
Base | Reference to the firewall rule. For VPC firewall
rules, the format is network:{network name}/firewall:{firewall_name}. |
rule_details.priority |
Base | The priority defined for the VPC firewall rule. |
rule_details.action |
Base | Indicates whether the connection was ALLOWED or
DENIED. |
rule_details.direction |
Base | The direction that the firewall rule applies to ingress
or egress. |
rule_details.ip_port_info[ ] |
IpPortDetails | List of IP protocols and applicable port ranges. The
ip_protocol sub-field can be ALL for
VPC firewall rules. |
rule_details.source_range[ ]rule_details.destination_range[ ] |
Metadata | List of source or destination IP ranges that the VPC firewall rule applies to. |
rule_details.source_tag[ ]rule_details.target_tag[ ] |
Metadata | List of all source or target network tags that the VPC firewall rule applies to. |
rule_details.source_service_account[ ]rule_details.target_service_account[ ] |
Metadata | List of all source or target service accounts that the VPC firewall rule applies to. |
instance |
Metadata | InstanceDetails VM instance details. In a Shared VPC configuration, project_id corresponds to that of the service project. |
load_balancer_details |
Metadata | LoadBalancingDetails Details of the internal Application Load Balancer or internal proxy Network Load Balancer to which the firewall rule applies. When the target of a firewall rule is one of these load balancers, the instance field is omitted. |
vpc |
Metadata | VpcDetails VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project. |
remote_instance |
Metadata | InstanceDetails If the remote endpoint of the connection was a VM located in the Compute Engine, this field is populated with VM instance details. |
remote_vpc |
Metadata | VpcDetails If the remote endpoint of the connection was a VM that is located in a VPC network, this field is populated with the network details. |
remote_location |
Metadata | GeographicDetails If the remote endpoint of the connection was external to the VPC network, this field is populated with available location metadata. |
IpConnection
| Field | Type | Description |
|---|---|---|
src_ip |
string | The source IP address. If the source is a Compute Engine VM,
src_ip is either the primary internal IP address or an address
in an alias IP range of the VM's network interface. The external IP
address is not shown. Logging shows the IP address of the VM as
the VM sees it on the packet header, the same as if you ran
tcpdump on the VM. |
src_port |
integer | The source port. |
dest_ip |
string | The destination IP address. If the destination is a Google Cloud VM,
dest_ip is either the primary internal IP address or an address
in an alias IP range of the VM's network interface. The external IP
address is not shown even if it was used in making the connection. |
dest_port |
integer | The destination port. |
protocol |
integer | IP protocol of the connection. |
RuleDetails
| Field | Type | Description |
|---|---|---|
reference |
string | Reference to the VPC firewall rule; format:network:{network name}/firewall:{VPC firewall rule name}. |
priority |
integer | The priority for the VPC firewall rule. |
action |
string | Action applied to the connection. Supported values are ALLOW
or DENY. |
direction |
string | The direction that the VPC firewall rule applies to
(ingress or egress). |
source_range[ ] |
string | List of source ranges that theVPC firewall rule applies to. |
destination_range[ ] |
string | List of destination ranges that the VPC firewall rule applies to. |
source_tag[ ] |
string | Lists of source network tags the VPC firewall rule applies to. |
target_tag[ ] |
string | Lists of target network tags the VPC firewall rule applies to. |
source_service_account[ ] |
string | List of all the source service accounts that the VPC firewall rule applies to. |
target_service_account[ ] |
string | List of all the target service accounts that the VPC firewall rule applies to. |
IpPortDetails
| Field | Type | Description |
|---|---|---|
ip_protocol |
string | IP protocol that the VPC firewall rule applies to. Can be
set to ALL if the rule applies to all IP protocols. |
port_range[ ] |
string | List of applicable port ranges for VPC firewall rules.
For example, 8080-9090. |
InstanceDetails
| Field | Type | Description |
|---|---|---|
project_id |
string | ID of the project containing the VM. |
vm_name |
string | Instance name of the VM. |
region |
string | Region of the VM. |
zone |
string | Zone of the VM. |
LoadBalancingDetails
| Field | Type | Description |
|---|---|---|
forwarding_rule_project_id |
string | Google Cloud project ID that contains the forwarding rule. Sent when the load balancer is the target instead of a VM. |
type |
string | Load balancer type: APPLICATION_LOAD_BALANCER indicates
an internal Application Load Balancer. PROXY_NETWORK_LOAD_BALANCER indicates an
internal proxy Network Load Balancer. Sent when
the load balancer is the target instead of a VM. |
scheme |
string | Load balancer scheme, INTERNAL_MANAGED. Sent when
the load balancer is the target instead of a VM. |
url_map_name |
string | Name of the URL map. Only populated if the type
is APPLICATION_LOAD_BALANCER. Sent when
the load balancer is the target instead of a VM. |
forwarding_rule_name |
string | Name of the forwarding rule. Sent when the load balancer is the target instead of a VM. |
VpcDetails
| Field | Type | Description |
|---|---|---|
project_id |
string | ID of the project containing the network. |
vpc_name |
string | Network on which the VM is operating. |
subnetwork_name |
string | Subnet on which the VM is operating. |
GeographicDetails
| Field | Type | Description |
|---|---|---|
continent |
string | Name of the continent. Its applicable if the remote endpoint of the connection is external to the VPC. |
country |
string | Name of the country. Its applicable if the remote endpoint of the connection is external to the VPC. |
region |
string | Name of the region. Its applicable if the remote endpoint of the connection is external to the VPC. |
city |
string | Name of the city. It's applicable if the remote endpoint of the connection is external to the VPC. |
What's next
- Firewall policy rules logging format.
- VPC firewall rules logging overview.
- Manage VPC firewall rules logging.
- Cloud Logging.