Firewall for ULL VPC networks
Cloud Next Generation Firewall (Cloud NGFW) for Ultra Low Latency (ULL) Virtual Private Cloud (VPC) networks provides a security configuration for ULL Solution.
The standard Cloud NGFW
performs packet processing, which can affect network speed. Because
ULL VPC networks require high performance and availability,
Cloud NGFW uses a firewall policy type ULL_POLICY. This
policy type lets network administrators enforce essential security boundaries
while maintaining the performance required for
high-frequency trading. For more information about ULL Solution,
see ULL Solution overview.
Specifications
This section describes firewall specifications for ULL Solution.
ULL VPC networks support firewall rules in regional network firewall policies only. They don't support global network firewall policies, hierarchical firewall policies, or VPC firewall rules.
To prevent the configuration of latency-inducing features, ULL VPC networks require the
ULL_POLICYfirewall policy type. The firewallPOLICY_TYPEfield is set at policy creation and can't be changed later.You can associate a firewall policy with a ULL VPC network if you create the policy with the
--policy_type=ULL_POLICYflag.ULL firewall policies maintain the same statefulness behavior as regular VPC networks. If a firewall rule allows an ingress connection, the firewall automatically allows the return egress traffic for that connection without requiring a separate rule.
Supported and unsupported features
The following table lists the supported and unsupported features for firewall in ULL VPC networks. The checkmark indicates supported attributes, and indicates unsupported features.
| Feature category | Feature name | Status |
|---|---|---|
| Policy scope | Regional network firewall policies | |
| Global network firewall policies | ||
| Hierarchical firewall policies | ||
| Rule types | Policy-based rules | |
| Legacy VPC firewall rules | ||
| Match criteria | Secure tags | |
| Address groups | ||
| 5-Tuple (IP, Port, Protocol) | ||
| Legacy network tags, fully qualified domain name (FQDN) objects, geolocation objects, and threat intelligence | ||
| Advanced services | Firewall rules logging | |
| Intrusion detection and prevention service | ||
| Traffic types | Unicast traffic (traffic that is secured and evaluated by the ULL_POLICY firewall rules) |
|
| ULL Multicast traffic |