Network Firewall Policy

Introduction

This article explains how to use the Network Firewall Policy over the firewall rule in GCP.

Let’s start understanding what is network policies and its importance in details.

Network firewall policies: A Network Firewall Policy is a set of rules and configurations that define how network traffic is allowed or blocked within a network infrastructure. These policies are typically implemented within firewalls, which act as gatekeepers for network traffic, monitoring incoming and outgoing packets and applying predefined rules to determine whether to permit or deny them.

More in general, a firewall policy is a collection of firewall policy rules,which are -again- very similar, but not the same as legacy firewall rules,

Instead of firewall rules, firewall policy rules have a unique identifier (read priority) and support more and different filtering mechanisms, depending on where they are configured.and network firewall policies can either be global or regional, meaning they can optionally apply to workloads living in a single region.

Network firewall policies are also hierarchical, just as the hierarchical firewall policies that you apply to organizations and folders we can apply this policy to org, folders and VPCs.

The inheritance order of firewall policy will be org, folder, legacy firewall rules, global network firewall policies and regional network firewall policies.

At each level, you can either enforce an action (allow, deny) or delegate the decision to levels down the chain (using goto_next) this allows administrators to enforce infrastructure-wide rules or to safely delegate decisions locally.

And GCP’s standard firewall policies don’t directly include NGFW features, but you can leverage Cloud NGFW (in Public Preview) alongside them for a more comprehensive security approach, Here’s how to incorporate NGFW functionalities into your security strategy

1.Enable Cloud NGFW

2.Create Firewall Policies with Cloud NGFW Integration

3. Define Inspection Rules within Cloud NGFW

4. Associate Inspection Rules with Firewall Policy Rules

And you may think about what is NGFWs basically NGFWs (Next-Generation Firewalls), Are ability to block or allow packets based on the application they are destined for they achieve this by analyzing traffic at Layer 7 in the application layer and

Traditional firewalls do not have this capability because they only analyze traffic at Layers 3 and 4.

Secure Tags:

Firewall policies can be implemented with the help of Secure tags

These are the same tags already present at the organization level, but they have been expanded to be associated with VPCs. Secure tags have their own IAM profile, allowing administrators in charge of them to delegate their use on specific resources

(i.e. projects or VMs) to specific identities.

Their are some most common roles associated with secure tags are :

A) Tag administrator

B) Tag user

And please note that network tag is different from secure tag in the creation of firewall policy

Secure tags over network tag and service account : network tags and service accounts don’t pass through peerings, meaning you cannot for example filter ingress traffic referring to a network tag (or a service account) associated to a VM living in a VPC, peering with yours ,when using network firewall policies instead, you can filter traffic referring to secure tags associated to VM NICs attached to VPCs, peering with yours.

To create Secure tag we need some basic role

1. Compute.securityadmin
2. compute.networkAdmin
3. Compute.viewer
4. compute .networkUser and compute.network Viewer

We can see what are the major key differences between VPC Firewall rule and Firewall policy

When to choose VPC firewall rule and firewall policies

• For basic traffic control within a single VPC, VPC firewall rules are sufficient.
• For complex filtering needs, centralized management, or applying security policies across multiple VPCs, firewall policies are the recommended approach. They offer greater flexibility and scalability.

Additional Considerations:

• You can migrate existing VPC firewall rules to firewall policies for a more robust and centralized security management approach.
• Firewall policies can co-exist with VPC firewall rules, but rules within a policy take precedence over existing VPC firewall rules for the same network.

Finally, I will show case you how to create firewall policy in the GCP console

Step-1 : Got to Firewall policies > Create Firewall Policy > Configure policy > Deployment scope > Global or Regional > Create Rule > Associate > Select Particular VPC

Step-2 : Create Firewall Rule: create a firewall rule with priority (Priority can be 0–2147483643) and firewall rule with lower value will have more priority and then select direction of traffic it may be ingress or egress and then in the action on match we will have allow, deny, go to next and Proceed to L7 inspection and if you want log in firewall rule level then turn Additional Considerations:on logs.

In the target section select target type depending on which network you are going to apply and mention source ip address and as i said earlier firewall policy can be applied based on tags and it also supports FQDN ,Geo locations ,Address Group and Google cloud thread intelligence for more details on these you can refer google official documentation https://cloud.google.com/firewall/docs/use-address-groups-firewall-policies?

And select Destination IP along with protocols and ports then finally you can associate this policy to applicable VPC networks

Step 3 -Associate policy with Existing VPC and Continue

Benefits of GCP Firewall Policies

1.Centralized Management: Define and enforce policies from a single location.

2.Improved Security Posture: Granular control over traffic flow for enhanced security.

3.Scalability and Efficiency: Hierarchical policies reduce repetitive rule creation.

4 .Flexibility: Define ingress (inbound) and egress (outbound) rules with various filtering options.

Conclusion:

Use VPC firewall rules for simple traffic control within a single VPC when you need a straightforward approach.

Choose VPC firewall policies for:

1. Complex filtering needs within a single VPC.
2. Centralized management and consistent security policies across multiple VPCs or your entire organization.
3. Leveraging advanced filtering options for granular control.
4. You can migrate existing VPC firewall rules to firewall policies for a more robust and centralized security management approach.
5. Firewall policies can coexist with VPC firewall rules, but rules within a policy take precedence over existing VPC firewall rules for the same network.
6. For both VPC firewall rules and firewall policies operate primarily at Layer 3 (network layer) and Layer 4 (transport layer) of the OSI model.
7. For Layer 7 (application layer) security, consider integrating Cloud Armor with VPC Firewall Policies or implementing application-level security measures.

By understanding these key distinctions, you can effectively leverage VPC firewall policies and VPC firewall rules to create a secure and well-defined network environment within Google Cloud Platform.

Hope you enjoyed the reading ,Stay tuned for more stories and insights from GCP.

Reference :

https://medium.com/@lprete

https://cloud.google.com/firewall/docs/use-address-groups-firewall-policies

THANK YOU