Exploring Firewall Policies in Google Cloud and Their Features

Published in

Niveus Solutions

7 min readJul 1, 2024

Firewalls are a crucial component of any networking design, providing essential security by controlling incoming and outgoing traffic. This necessity remains true in cloud environments. In Google Cloud Platform (GCP), firewalls are used to segment Virtual Private Clouds (VPCs) and filter traffic so that only designated hosts or subnets can communicate. Google Cloud has recently introduced a new taxonomy for its cloud firewalls: Firewall Essentials, Firewall Standard, and Firewall Plus.

Introduction to Google Cloud Firewall Policies

Firewall policies in Google Cloud allow you to group several firewall rules to update them all at once, controlled by Identity and Access Management (IAM) roles. These policies can explicitly deny or allow connections, similar to VPC firewall rules. The types of firewall policies include hierarchical, global network, and regional network firewall policies.

Hierarchical Firewall Policies (HFP)

Hierarchical Firewall Policies (HFP) allow you to group rules into a policy object that can apply to many VPC networks in one or more projects. You can associate hierarchical firewall policies with an entire organization or individual folders.

Benefits of Using HFP

Centralized Management: You can set up security rules at the folder or organization level and apply them to specific projects and VPC networks. This ensures uniform security across your cloud architecture and simplifies administration.
Granularity and Inheritance: Policies implemented at higher levels (folders and organizations) are automatically inherited by child nodes (projects and VPCs). You can enhance these inherited rules with project-specific policies, creating a tiered security strategy.
Decreased Complexity: This approach simplifies management and reduces the potential for human error by eliminating the need to repeatedly create rules for different projects.
Increased Visibility and Control: Leverage audit logging and detailed rule evaluation to gain deeper insights into network traffic and identify potential security threats.

Global and Regional Network Firewall Policies

Global Network Firewall Policies

Global network firewall policies group rules into a policy object applicable across all regions. When associated with a VPC network, the rules in the policy apply to resources within that network globally.

Benefits of Using Global Network Firewall Policies

Centralized Management: Like HFPs, global policies allow centralized management of firewall rules, simplifying administration and ensuring consistency across regions.
Uniform Security Posture: Ensures that the same security measures are enforced across all regions, providing a uniform security posture.
Granularity and Inheritance: Supports the application of detailed and specific security rules that can be inherited and customized at different levels.

Regional Network Firewall Policies

Regional network firewall policies group rules into a policy object applicable to a specific region. When associated with a VPC network, the rules in the policy apply to resources within that specific region of the VPC network.

Benefits of Using Regional Network Firewall Policies

Localized Management: Allows for the management of firewall rules specific to a region, which can be tailored to local requirements and regulations.
Optimized Performance: Ensures that security rules are applied closer to the resources, which can help optimize performance and reduce latency.
Granularity and Inheritance: Similar to global policies, regional policies support detailed and specific rules that can be inherited and customized at different levels within the region.

Policy and Rule Evaluation Order

Firewall rules and policies are evaluated in a specific order during VM packet processing in Google Cloud’s Andromeda network virtualization stack. Rules are evaluated for each network interface (NIC) of the VM, with the evaluation order determined by the networkFirewallPolicyEnforcementOrder flag of the VPC network attached to the VM's NIC.

Default Policy and Rule Evaluation Order

By default, when the networkFirewallPolicyEnforcementOrder is set to AFTER_CLASSIC_FIREWALL, Google Cloud evaluates rules in the following order:

Hierarchical Firewall Policies: Rules from the organization’s hierarchical firewall policy are evaluated first.
Folder-Level Hierarchical Firewall Policies: Rules from the hierarchical firewall policy associated with the most distant folder ancestor of the VM’s project are evaluated next.
VPC Firewall Rules: Google Cloud evaluates all applicable VPC firewall rules.
Global Network Firewall Policies: If associated with the VPC network, these rules are evaluated.
Regional Network Firewall Policies: If associated with the VPC network and region, these rules are evaluated.
Implied Rules: Finally, Google Cloud enforces the implied allow egress and deny ingress VPC firewall rules.

To change the rule evaluation order, you can set the networkFirewallPolicyEnforcementOrder attribute of the VPC network to BEFORE_CLASSIC_FIREWALL.

Predefined Rules in Firewall Policies

When you create a hierarchical, global, or regional network firewall policy, Google Cloud Network Firewall (NGFW) adds predefined rules to the policy, such as goto-next rules for private IPv4 ranges, predefined Threat Intelligence deny rules, and predefined geolocation deny rules. These predefined rules use low priorities (large priority numbers) so you can override them by creating rules with higher priorities.

Practical Implementation of Hierarchical Firewall Policies

Let’s walk through creating an HFP in your GCP environment and explore some practical applications. We’ll build an HFP within a folder called “hfp-test,” associate it with the folder, and create a basic VPC and subnet. Finally, we’ll set up rules to allow SSH access to VM instances over IAP and to log outbound connections to the internet for security analysis and monitoring.

Prerequisites

Ensure you have a GCP folder and a project within it. Open a terminal with gcloud installed, or launch the Cloud Shell from the console. Set the environment variables:

# Change the values
PROJECT_ID=<PROJECT_ID>
FOLDER_ID=<FOLDER_ID>
ORG_ID=<ORGANIZATION_ID>

Create a VPC and a Subnet.

gcloud compute networks create test-vpc --subnet-mode custom --project $PROJECT_ID
gcloud compute networks subnets create test-subnet \
  --region europe-west1 \
  --network test-vpc \
  --range 10.0.0.0/28

Create the Firewall Policy.

gcloud compute firewall-policies create --folder $FOLDER_ID --short-name hfp-test

Create our rules for outbound Internet connection logging.

Every VPC has implicit firewall rules set to “deny all ingress” and “allow all egress” by default, with the lowest priority. These rules are set in stone and cannot be changed or removed. To log every egress, we must establish a higher priority rule.
Because “-dest-ip-ranges” is defined for all internal IP ranges, the initial rule is to exclude logging on them. For outgoing connections, no logs will be kept for any destination IP address that falls inside this range.

# Rule 1000: Exempt internal connections from logging
gcloud compute firewall-policies rules create 1000 \
  --organization=$ORG_ID \
  --firewall-policy hfp-test \
  --action allow \
  --direction EGRESS \
  --dest-ip-ranges 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 \
  --layer4-configs tcp,udp,icmp \
  --description "Allow internal egress"

The second firewall rule will log every outbound connection (0.0.0.0/0), but since the firewall rule created earlier has a higher priority (1000), only the ranges outside of the previous rule will be logged for egress.

# Rule 1001: Track outgoing connections to the internet
gcloud compute firewall-policies rules create 1001 \
  --organization=$ORG_ID \
  --firewall-policy hfp-test \
  --action allow \
  --direction EGRESS \
  --dest-ip-ranges 0.0.0.0/0 \
  --layer4-configs tcp,udp,icmp \
  --enable-logging \
  --description "Inspect Internet egress"

Note: Every priority number should be unique within Hiearchical Firewall Policy. You should consider allowing some buffer before giving the highest priority number.

Create another rule to enable SSH via IAP.

Let’s move on with an allow SSH via IAP rule. This rule is useful to enable administrative access to VM instances that do not have external IP addresses or do not permit direct access over the internet.

# Rule 999: Allow SSH via IAP
gcloud compute firewall-policies rules create 999 \
  --organization=$ORG_ID \
  --firewall-policy hfp-test \
  --action allow \
  --direction INGRESS \
  --src-ip-ranges 35.235.240.0/20 \
  --layer4-configs tcp:22 \
  --description "Allow SSH via IAP"

Viewing and Managing Firewall Policies

After completing these steps, you can view the inherited firewall rules by navigating to VPC Network > test-vpc > Firewalls, and Network Security > Firewall Policies in the Google Cloud Console.

Effective Firewall Rules

Effective firewall rules control connections and can be viewed at both the network and instance levels:

Network Effective Firewall Rules: View all firewall rules applied to a VPC network, including rules from hierarchical firewall policies, VPC firewall rules, and global and regional network firewall policies.
Instance Effective Firewall Rules: View all firewall rules applied to a VM’s network interface, ordered from the organization level down to the VPC network. Only rules that apply to the VM interface are shown.

Conclusion

Hierarchical Firewall Policies, Global Network Firewall Policies, and Regional Network Firewall Policies provide an effective and powerful method for managing your cloud security posture. By centralizing policies and inheriting them across your entire organization, you ensure consistent protection of your critical cloud assets, simplify management, and increase visibility. These policies offer advanced capabilities for granular control and heightened security, allowing you to dynamically switch out policies for different branches of your cloud environment and instantly change the rules for all VMs within. Delegating decision-making to lower levels allows for flexible, organization-specific customization, and the new goto_next action facilitates this process. Integrating these policy rules with intrusion prevention services adds another layer of defense. You can easily audit the implemented rules through your VPC network and VM instance details pages, enhancing compliance and troubleshooting. With these features, you can secure your cloud infrastructure with granular adaptability and central control. This guide represents just the beginning, as these advanced policies lay the foundation for a robust and adaptable cloud security framework.