GSP609

Overview

Cloud Next Generation Firewall (Cloud NGFW) is a fully distributed firewall service with advanced protection capabilities, micro-segmentation, and pervasive coverage to protect your Google Cloud workloads from internal and external attacks.

Global network firewall policy acts as a container for firewall rules. Rules defined in a global network firewall policy are not enforced anywhere until the policy is associated with a VPC network. Each VPC network can have one network firewall policy associated with it. Global network firewall policies support IAM-governed Tags (or just Tags) in firewall rules, which replace current network tags and can be used to provide identity to workload.

Sharing a global network firewall policy across networks, and the integration with IAM-governed Tags, greatly simplifies the configuration and management of firewalls. A big difference between VPC firewall rules and global network firewall policies is that VPC firewall rules can be applied only to a single VPC network, whereas network firewall policies can get attached to a single VPC or group of VPCs, amongst other benefits like batch update.

By default, the enforcement sequence is shown in the following diagram:

The enforcement order between the VPC firewall rules and the global network firewall policy can be swapped. You can specify the enforcement order at any time with a compute networks update gcloud command.

Tags

The new Tags for firewalls are integrated in network firewall policy rules and are key-value pair resources defined at the organization level of the Google Cloud resource hierarchy. Such a Tag contains an IAM access control, as the name implies, that specifies who can do what on the Tag. IAM permissions, for instance, allow one to specify which principals can assign values to tags and which principals can attach tags to resources. Once a Tag has been applied to a resource, network firewall rules can use it to allow and deny traffic.

Tags adhere to Google Cloud's inheritance resource model, meaning tags and their values are passed down across the hierarchy from their parents. As a result, tags may be created in one place and then used by other folders and projects throughout the resource hierarchy. Visit Tags and conditional access for further details on tags and access restriction.

Tags are than network tags. Network tags are strings, not key values. VPC firewall rules may include network tags, but since they are not regarded as cloud resources, they are not subject to IAM access control.

Prerequisites

Although not required, to understand how to create a network and apply firewall rules, take the Create a Custom Network and Apply Firewall Rules lab. For this lab it is presumed that you understand these concepts.

What you'll learn

• Identify existing VPC firewall rules in a Google Cloud project
• Migrate VPC firewall rules to a global network firewall policy
• Test and verify the migration worked by checking logs

Setup and requirements

Before you click the Start Lab button

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources are made available to you.

This hands-on lab lets you do the lab activities in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials you use to sign in and access Google Cloud for the duration of the lab.

To complete this lab, you need:

• Access to a standard internet browser (Chrome browser recommended).

Note: Use an Incognito (recommended) or private browser window to run this lab. This prevents conflicts between your personal account and the student account, which may cause extra charges incurred to your personal account.

• Time to complete the lab—remember, once you start, you cannot pause a lab.

Note: Use only the student account for this lab. If you use a different Google Cloud account, you may incur charges to that account.

How to start your lab and sign in to the Google Cloud console

1. Click the Start Lab button. If you need to pay for the lab, a dialog opens for you to select your payment method. On the left is the Lab Details pane with the following:

   • The Open Google Cloud console button
   • Time remaining
   • The temporary credentials that you must use for this lab
   • Other information, if needed, to step through this lab

2. Click Open Google Cloud console (or right-click and select Open Link in Incognito Window if you are running the Chrome browser).

   The lab spins up resources, and then opens another tab that shows the Sign in page.

   Tip: Arrange the tabs in separate windows, side-by-side.

   Note: If you see the Choose an account dialog, click Use Another Account.

3. If necessary, copy the Username below and paste it into the Sign in dialog.

   {{{user_0.username | "Username"}}}

   You can also find the Username in the Lab Details pane.

4. Click Next.

5. Copy the Password below and paste it into the Welcome dialog.

   {{{user_0.password | "Password"}}}

   You can also find the Password in the Lab Details pane.

6. Click Next.

   Important: You must use the credentials the lab provides you. Do not use your Google Cloud account credentials. Note: Using your own Google Cloud account for this lab may incur extra charges.

7. Click through the subsequent pages:

   • Accept the terms and conditions.
   • Do not add recovery options or two-factor authentication (because this is a temporary account).
   • Do not sign up for free trials.

After a few moments, the Google Cloud console opens in this tab.

Note: To access Google Cloud products and services, click the Navigation menu or type the service or product name in the Search field.

Activate Cloud Shell

Cloud Shell is a virtual machine that is loaded with development tools. It offers a persistent 5GB home directory and runs on the Google Cloud. Cloud Shell provides command-line access to your Google Cloud resources.

1. Click Activate Cloud Shell at the top of the Google Cloud console.

2. Click through the following windows:

   • Continue through the Cloud Shell information window.
   • Authorize Cloud Shell to use your credentials to make Google Cloud API calls.

When you are connected, you are already authenticated, and the project is set to your Project_ID, . The output contains a line that declares the Project_ID for this session:

Your Cloud Platform project in this session is set to {{{project_0.project_id | "PROJECT_ID"}}}

gcloud is the command-line tool for Google Cloud. It comes pre-installed on Cloud Shell and supports tab-completion.

3. (Optional) You can list the active account name with this command:

gcloud auth list

4. Click Authorize.

Output:

ACTIVE: * ACCOUNT: {{{user_0.username | "ACCOUNT"}}} To set the active account, run: $ gcloud config set account `ACCOUNT`

5. (Optional) You can list the project ID with this command:

gcloud config list project

Output:

[core] project = {{{project_0.project_id | "PROJECT_ID"}}} Note: For full documentation of gcloud, in Google Cloud, refer to the gcloud CLI overview guide.

Set your region and zone

Certain Compute Engine resources live in regions and zones. A region is a specific geographical location where you can run your resources. Each region has one or more zones.

1. Run the following gcloud commands in Cloud Shell to set the default region for your lab:

gcloud config set compute/region "{{{project_0.default_region | Region}}}" export REGION=$(gcloud config get compute/region)

2. Run the following gcloud commands in Cloud Shell to set the default zone for your lab:

gcloud config set compute/zone "{{{project_0.default_zone | Zone}}}" export ZONE=$(gcloud config get compute/zone)

You may get a warning setting the Region and Zone. This can be ignored.

3. Set your Project ID as an environment variable:

export PROJECT_ID=$(gcloud config get-value project)

4. List the networks in your project:

gcloud compute networks list

Identify the number of existing VPC firewall rules in your network

1. In the console, from the Navigation menu, select VPC Network and review the networks available for this lab.

2. Open each network and note the firewall rules.

3. Make a note of the priorities associated with each VPC firewall rule.

4. You will be able to see the tags that your firewall rules have in the console. Go to VPC Networks then click on the external-network. Click on the Firewalls tab, then expand vpc-firewall-rules to see the firewall rules and their network tags. You may need to expand each row by clicking the arrow on the row's right side.

5. In Cloud Shell, run the following command to see the firewall rules for the external-netowrk:

gcloud compute firewall-rules list --filter=network:external-network

Task 1. Create a global firewall rule

Global network firewall policy rules must be created in a global network firewall policy. The rules are not active until you associate the policy that contains those rules with a VPC network.

Each global network firewall policy rule can include either IPv4 or IPv6 ranges, but not both.

gcloud compute firewall-rules create allow-ssh --direction=INGRESS --action=ALLOW --rules=tcp:22 --source-ranges=10.1.0.0/24,10.2.0.0/24 --description "allow-ssh" --network=external-network --target-tags=ssh gcloud compute firewall-rules create allow-web \ --allow tcp:80,tcp:443 \ --description "allow-web" \ --source-ranges 10.0.0.0/16 \ --network=external-network \ --target-tags=web Note: Since Cloud Next Generation Firewall rules have an implicit deny ingress rule, you need to define what is allowed.

4. [Optional] For this lab you will have the correct permissions already selected. In the console, from the Navigation menu, select IAM & Admin. You will see the permissions given to you for this lab. The roles you will have are:

compute.networkAdmin compute.networkViewer compute.securityAdmin compute.viewer resourcemanager.tagAdmin resourcemanager.tagViewer resourcemanager.tagUser

Click Check my progress to verify the objective. Create global firewall rules.

Task 2. Save details of existing network tags

Next you will create a JSON file to save the details of the existing network tags .

To export the network tags in your network to a mapping JSON file, use the compute firewall-rules migrate command with the --export-tag-mapping flag.

Replace the following:

NETWORK_NAME: the name of your VPC network containing the VPC firewall rules that you want to migrate. For this lab use external-network.

TAG_MAPPING_FILE: create a name for the JSON mapping file.

gcloud beta compute firewall-rules migrate \ --source-network=NETWORK_NAME \ --export-tag-mapping \ --tag-mapping-file=TAG_MAPPING_FILE Looking for VPC Firewalls and Network Firewall Policies associated with VPC Network 'external-network'. Found 0 Network Firewall Policies associated with the VPC Network 'external-network'. Found 1 VPC Firewalls associated with the VPC Network 'external-network'. 8 pattern(s) used to filter VPC Firewalls out: gke-(.+)-ipv6-all gke-(.+)-(.+)-((master)|(vms)|(all)|(inkubelet)|(exkubelet)|(mcsd)) k8s-fw-(l7-)?(.+) k8s-(.+)-((node)|(http)|(node-http))-hc (.+)-hc k8s2-(.+)-(.+)-(.+)-(.+)(-fw)? k8s2-(.+)-l4-shared-hc-fw gke((gw)|(mcg))1-l7-(.+)-(.+)

Task 3. Create secure Tags

Based on the network tags listed in the mapping file, create the corresponding secure Tags in your network.

The new secure Tags serve as a replacement to the network tags and preserve the original network configuration after migration.

• TAG_KEY defines what kind of information you're tagging.
• TAG_VALUE defines the specific information you're assigning.

Together, they form a key-value pair that provides a flexible and powerful way to manage your Google Cloud resource.

1. First, create the TAG_KEY:

Replace the following:

• TAG_KEY: the name of the Tag key; it defines the category or classifcation of a Tag. For this lab use vpc-tags.
• PROJECT_ID: You already defined as a variable for this lab.
• NETWORK_NAME: the name of your VPC network. Use external-network.
• TAG_VALUE: the specific attribute of a TAG_KEY. For this lab use ssh, external and web.

gcloud resource-manager tags keys create TAG_KEY \ --parent projects/$PROJECT_ID \ --purpose GCE_FIREWALL \ --purpose-data network=$PROJECT_ID/NETWORK_NAME

2. Next, create 3 TAG_VALUES, one for each of the firewall rules:

gcloud resource-manager tags values create TAG_VALUE \ --parent=$PROJECT_ID/TAG_KEY gcloud resource-manager tags values create TAG_VALUE \ --parent=$PROJECT_ID/TAG_KEY gcloud resource-manager tags values create TAG_VALUE \ --parent=$PROJECT_ID/TAG_KEY Note: When you create secure Tag keys, the value of the --purpose field must be set to GCE_FIREWALL. Each of these secure Tags must have a single target VPC network and the Tags can only be associated with the network interfaces in that VPC network.

Click Check my progress to verify the objective. Create secure Tags.

Task 4. Map network tags and service accounts to Tags

After creating IAM-governed secure Tags for each network tag used by your VPC firewall rules, map the Tags to the corresponding network tags in the mapping JSON file.

• Edit the JSON file to map the network tags to the corresponding secure Tags. You can use the Cloud Shell Editor or the editor of your choice, as the format specified below.

{ "external": "tagValues/the numeric value for TAG_VALUE", "ssh": "tagValues/the numeric value for TAG_VALUE", "web": "tagValues/the numeric value for TAG_VALUE" }

The output of the previous command will give you the numeric value of the TAG_VALUE.

Task 5. Bind Tags to VMs

Based on the tag mapping JSON file, bind the newly created secure Tag to the VMs to which the existing network tags are attached:

• Use the compute firewall-rules migrate command with the --bind-tags-to-instances flag.

Replace the following:

NETWORK_NAME: the name of your VPC network.

TAG_MAPPING_FILE: the name of the mapping JSON file.

gcloud beta compute firewall-rules migrate \ --source-network=NETWORK_NAME \ --bind-tags-to-instances \ --tag-mapping-file=TAG_MAPPING_FILE Note:The --bind-tags-to-instances flag binds the secure Tags to only running VMs. In addition, if VMs in your network are created using instance templates or if the VMs are a part of a Google Kubernetes Engine (GKE) cluster, you must manually bind the secure Tags.

Click Check my progress to verify the objective. Bind Tags to VMs.

Task 6. Migrate the VPC firewall rules to a global network firewall

• Migrate your VPC firewall rules to a global network firewall policy - use the gcloud beta compute firewall-rules migrate command.

Replace the following:

NETWORK_NAME: the name of your VPC network containing the firewall rules that you want to migrate. Replace this with external-network.

POLICY_NAME: the name of the global network firewall policy to create during migration.

gcloud beta compute firewall-rules migrate \ --source-network=NETWORK_NAME \ --tag-mapping-file=FILE_NAME \ --target-firewall-policy=POLICY_NAME Note: Excluding specific firewall rules from migration is done by using the --exclusion-patterns-file flag, but that is not covered in this lab.

Click Check my progress to verify the objective. Migrate the VPC firewall rules to a global network firewall.

Task 7. Review VM tags

Before you associate the newly created global policy to a VPC network, review the policy to ensure that the migration process has completed accurately.

Verify whether the secure Tags are attached to the correct VM. Use the resource-manager tags bindings list command.

1. In the console, navigate to VPC Networks > Firewall.
2. Scroll down to the bottom to the Network firewall policies section to review the policy.
3. Click on the name of the firewall policy that you created.
4. Open the the row of the firewall rule so you can see the Target tags - confirm that they are correct.

Task 8. Associate the global network firewall policy with your network

The migration tool creates the global network firewall policy based on the existing VPC firewall rules. You must manually associate the policy with the required VPC network to activate the policy rules for any VMs within that network. To associate the global network firewall policy, use the compute network-firewall-policies associations create command.

• While still on the Firewall policies detail page, click on the Asssociations tab.
• Click on the Add Associations tab.
• Check the box next to external-network, then click Associate.

After it's associated, the policy's rules become active for VMs in the associated network.

Click Check my progress to verify the objective. Associate the global network firewall policy with your network.

Task 9. Change the policy and rule evaluation order

By default, Cloud Next Generation Firewall evaluates the VPC firewall rules before it evaluates a global network firewall policy. To make sure that global network firewall policies take precedence over VPC firewall rules, use the compute networks update command to change the rule evaluation order.

1. Replace NETWORK_NAME with the name of your VPC network.

gcloud compute networks update NETWORK_NAME \ --network-firewall-policy-enforcement-order=BEFORE_CLASSIC_FIREWALL

2. To verify whether the global network firewall policy is evaluated before the VPC firewall rules, use the compute networks get-effective-firewalls command.

gcloud compute networks get-effective-firewalls NETWORK_NAME | grep "TYPE:"

In the output of the preceding command, if TYPE: network-firewall-policy is displayed before TYPE: network-firewall, then the global network firewall policy is evaluated first.

Click Check my progress to verify the objective. Change the policy and rule evaluation order.

Task 10. Enable logging of firewall rules

Firewall Rules Logging lets you audit, verify, and analyze the effects of your firewall rules. For example, you can determine if a firewall rule designed to deny traffic is functioning as intended. Firewall Rules Logging is also useful if you need to determine how many connections are affected by a given firewall rule.

Logging helps you to determine whether a firewall rule is functioning as intended. The migration tool retains the logging status of the existing VPC firewall rules when it creates the new global network firewall policy. To enable logging for firewall policy rules, use the compute network-firewall-policies rules update command, and add in a priority order to ensure the globally policy takes precidence over legacy VPC firewall rules.

Replace the following:

POLICY_NAME: The name of the global network firewall policy whose rule you want to update.

gcloud compute network-firewall-policies rules update 1000 --firewall-policy=POLICY_NAME --enable-logging --global-firewall-policy

To verify the firewall policy is attached to the network, return to VPC network in the Cloud console, and click on the external-network > Firewalls.

Note: You will see hierarchical firewall policy, which applies to the Organization.

Click Check my progress to verify the objective. Enable logging of firewall rules.

Task 11. Test the global network firewall policy

Continued monitoring of hit counts reveals the gradual shift towards the new rules, with the legacy rules eventually receiving zero hits. At this point you should be able to disable the old rules, validate possible negative impacts, then delete the old legacy VPC firewall rules.

Now test your network-level access! if you're on the "approved" external networks, you're in. If not, you're blocked.

Send some traffic to the network that has the global firewall rule. You need to get the external IP address of VMs that are in your VPC Network.

1. From the Navigation menu click on Compute Engine > VM Instances.
2. Copy the External IP of the external-server.
3. ping the external IP to send some traffic:

ping -c 20 <Enter a external IP here>

Now move to Logs Explorer to see the results.

Check the logs

In the console, go to the Logs Explorer page.

1. In the Google Cloud search bar, search for "logging", then right click on Logs Explorer to open a new tab.
2. Click All resources >Subnetwork, and then click Apply.
3. Scan through the results and look for the name of the firewalls. You'll notice that the name will change from the VPC firewall to the global firewall policy. Your results should look similar to this:

OPTIONAL - Check connectivity

For this test you'll use the Network Intelligence Center.

1. In the Google Cloud search bar, search for "connectivity", then select Connectivity Test from the results.
2. Enable the Network Management API.
3. You need to get the external IP address of VMs that are in your VPC Network. From the Navigation menu right click on Compute Engine to open a new window, then click on VM Instances.
4. Copy the External IP of the external-server.
5. On the Create Connectivity Test screen, click on Create connectivity test.
6. Name the test, then paste the IP address into the Source IP field.
7. Return to the VM Instances tab, then copy the External IP for the internal-server-1.
8. On the Create Connectivity Test screen, paste the IP address into the Destination field.
9. Click Create.

You'll see that the test is unsuccessful - there is no firewall rule policy to allow tcp traffic to the internal-server-1.

Now repeat the test, switching the direction. Add the internal-server-1 IP as the Source IP and the external-server as the Destination.

Click Check my progress to verify the objective. Test the global network firewall policy.

Task 12. Delete the VPC firewall rules from the network

It is recommended that you disable the VPC firewall rules first before entirely deleting them. You can revert to those rules if the global network firewall policy created by the migration tool fails to provide the expected results. For this lab, move directly to removing the VPC firewall rules now that they are migrated to the global firewall policy.

Be sure to use the individual firewall rule names.

1. To disable a VPC firewall rule, use the compute firewall-rules update command.

Replace RULE_NAME with the name of the VPC firewall rule to be disabled.

gcloud compute firewall-rules update RULE_NAME --disabled

2. To delete a VPC firewall rule, use the compute firewall-rules delete command.

gcloud compute firewall-rules delete RULE_NAME

Optional: Delete firewall rules in the console.

1. Return to the Console and go to VPC Networks.
2. Click on the external-network, then click on the Firewalls tab.
3. Expand the VPC Network Rules toggle.
4. Select the 2 firewall rules then click Delete.

Click Check my progress to verify the objective. Delete the VPC firewall rules from the network.

Congratulations

You have learned how to migrate a VPC firewall rule with tags to a global firewall policy, applied it to 2 networks, verified that it is working, and disabled the legacy firewall rules in preparation of deleting them.

Next Steps

• Read the Google Cloud Networking blog post on migrating legacy VPC firewall rules to Cloud NGFW.
• Read more about creating a Next Generation Firewall Rule.
• Bookmark this page for the VPC firewall rules migration tool for future reference!
• Read the following articles on IAM roles regarding global network firewall policies and IAM roles for tags.

Google Cloud training and certification

...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies.

Manual last updated April 03, 2025

Lab last tested April 03, 2025

Copyright 2025 Google LLC. All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.