Firewall policies are a collection of firewall rules that let you control the ingress and egress flow of traffic in a VPC network. Firewall policy rules enable you to explicitly deny or allow connections.
In in-band Network Security Integration, you use hierarchical and global network (recommended) firewall policy and rules to redirect network traffic. The traffic flows through the VPC network's intercept endpoint group, the producer's intercept deployment group, and then to the producer's compute resources for traffic inspection.
This page describes the firewall policies and rules used for packet inspection.
Firewall policies and rules
To redirect traffic to intercept endpoint group, you can create network or hierarchical firewall policies and rules.
When you create a firewall policy, you must create a firewall rule with the
action APPLY_SECURITY_PROFILE_GROUP. The rule must reference the security
profile group containing the custom-intercept-profile action.
Priority
The priority of the firewall rule must be an integer from 0 to 2,147,483,647, inclusive. Lower integers indicate higher priorities. For more information, see Firewall rule priority.
Action on match
A rule in a firewall policy can have one of the following actions:
- The
allowaction permits traffic and stops further rule evaluation. - The
denyaction denies traffic and stops further rule evaluation. - The
apply_security_profile_groupaction transparently intercepts the traffic and sends it to the configured firewall endpoint or to the intercept endpoint group for inspection. The decision to allow or deny the packet then depends on the firewall endpoint (or on the intercept endpoint group) and the configured security profile. In both the cases, the rule evaluation process stops.
For more information, see Policy and rule evaluation order.
Egress and ingress
An ingress rule with a deny action protects all instances by blocking incoming
connections to them. A higher priority rule might allow incoming access.
An egress rule with an allow action lets an instance send traffic to the
destinations specified in the rule. Egress can be denied by higher priority deny
firewall rules. Google Cloud also blocks or
limits certain kinds of traffic.
After you add the firewall rule to the policies, you then associate the firewall policy with your network. For more information, see Create and manage rules.
Protocols and ports
Similar to firewall rules, you must specify one or more protocol and port constraints when you create a firewall rule. When specifying TCP or UDP in a firewall rule, you can specify the protocol, the protocol and a destination port, or the protocol and a destination port range; you cannot specify only a port or port range. Also, you can only specify destination ports. Rules based on source ports are not supported.
You can use the following protocol names in firewall rules:
tcpudpicmp(for IPv4 ICMP)espahsctpipip
For all other protocols, use the IANA protocol numbers.
For more information, see Firewall rules protocol and ports.
Direction
The direction in which the firewall rule applies. It can be either INGRESS or
EGRESS.
INGRESS: ingress direction refers to the incoming connections sent from specific sources to Google Cloud targets. Ingress rules apply to inbound packets, where the destination of the packets is the target.An ingress rule with a deny action protects all instances by blocking incoming connections to them. A higher priority rule might allow incoming access. An automatically created default network includes some pre-populated Virtual Private Cloud firewall rules, which allow ingress for certain types of traffic.
EGRESS: egress direction refers to the outbound traffic sent from a target to a destination. Egress rules apply to packets for new connections where the source of the packet is the target.