Create and manage firewall policies for ULL VPC networks

To configure Cloud Next Generation Firewall (Cloud NGFW) for Ultra Low Latency (ULL) Virtual Private Cloud (VPC) networks, you must create a regional network firewall policy and set the policy type flag to ULL_POLICY. ULL VPC networks differ from regular VPC networks and don't support legacy VPC firewall rules.

This page shows you how to configure firewall policy rules that apply to ULL VPC networks.

Before you begin

Make sure that you have the Compute Security Admin role (roles/compute.securityAdmin) to manage network firewall policies.
Make sure that you have a ULL VPC network.

Create a ULL firewall policy

Once you create a ULL VPC network, you can create a firewall policy for that network. When you create the policy, set the policy_type field to ULL_POLICY. You can use only regional network firewall policies for ULL VPC networks.

gcloud

To create a ULL regional network firewall policy, use the gcloud beta compute network-firewall-policies create command:
```
gcloud beta compute network-firewall-policies create FIREWALL_POLICY_NAME \
    --region=REGION \
    --policy_type=ULL_POLICY
```
Replace the following values:
- FIREWALL_POLICY_NAME: the name of the network firewall policy.
- REGION: the region of the ULL network firewall policy.

Create rules in the ULL firewall policy

Add firewall rules to your ULL policy. To maintain low latency, ULL policies support a specific subset of standard Cloud NGFW features.

gcloud

To add a rule to the ULL network firewall policy, use the gcloud compute network-firewall-policies rules create command:
```
gcloud compute network-firewall-policies rules create PRIORITY \
    --firewall-policy-region=REGION \
    --firewall-policy=FIREWALL_POLICY_NAME \
    --action=allow \
    --direction=DIRECTION \
    --src-ip-ranges=SOURCE_IP_RANGE \
    --layer4-configs=tcp:80,udp:53
```
Replace the following values:
- PRIORITY: the numeric evaluation order of the rule within the policy. Priorities must be unique for each rule.
- REGION: the region of the ULL network firewall policy.
- FIREWALL_POLICY_NAME: the name of the network firewall policy.
- DIRECTION: the direction of the traffic the rule is applied.
- SOURCE_IP_RANGE: the IP address ranges that are allowed to make inbound connections that match the firewall rule to the instances on the network. The IP address must be specified in Classless Inter Domain Routing (CIDR) format.

Associate the policy with the ULL VPC network

After you create the policy and define its rules, associate it with your ULL VPC network. The association validates that the network's profile allows the ULL_POLICY type.

gcloud

To associate a ULL VPC network, use the gcloud compute network-firewall-policies associations create command:
```
gcloud compute network-firewall-policies associations create \
    --firewall-policy-region=REGION \
    --firewall-policy=FIREWALL_POLICY_NAME \
    --network=ULL_NETWORK_NAME
```
Replace the following values:
- REGION: the region of the ULL network firewall policy.
- FIREWALL_POLICY_NAME: the name of the network firewall policy.
- ULL_NETWORK_NAME: the name of the ULL VPC network.

Create and manage firewall policies for ULL VPC networks

Before you begin

Create a ULL firewall policy

gcloud

Create rules in the ULL firewall policy

gcloud

Associate the policy with the ULL VPC network

gcloud

What's next