🔥 Mastering GCP Next-Gen Firewall: A Deep Dive into Cloud NGFW and Firewall Policies

🔍 Overview: Google Cloud Next-Gen Firewall

Google Cloud Next-Gen Firewall (Cloud NGFW) is a fully managed, distributed firewall service designed to provide advanced network and application-level security for workloads in Google Cloud Platform (GCP). Unlike traditional firewalls that rely on static appliances, Cloud NGFW leverages Google’s high-performance Andromeda network virtualization stack to enforce security policies at scale and without bottlenecks.

🔑 Key Features:

• Layer 3/4 & Layer 7 Protection: Supports traditional IP/port rules as well as advanced application-layer (L7) inspection.

• Fully Managed by Google: No need to deploy or manage firewall appliances. Google handles endpoint deployment, scaling, availability, and updates.

• Distributed Architecture: Security enforcement happens close to the workload (VM), minimizing latency and maximizing scalability.

• Deep Packet Inspection (DPI): Enterprise tier includes traffic decryption and inspection to detect malware, exploits, and command-and-control (C2) traffic.

• Threat Intelligence Integration: Blocks traffic from known malicious IPs and TOR exit nodes using Google Threat Intelligence feeds.

• IAM-Integrated Policies: Supports identity-based segmentation using IAM-governed tags.

---

📦 Tiers of Service:

1. Essentials Tier

   • Basic firewall rules using IPs, ports, protocols, tags, and address groups.

   • Hierarchical policy support.

2. Standard Tier

   • Adds support for Fully Qualified Domain Name (FQDN) filtering and geo-based rules.

   • Includes threat intelligence deny lists.

3. Enterprise Tier

   • Enables Layer 7 deep packet inspection (DPI), TLS decryption, and intrusion prevention.

   • Powered by Palo Alto Networks Threat Prevention engine.

---

🎯 Why Use Cloud NGFW?

• No chokepoints: Unlike traditional firewall appliances, there's no single point of inspection or failure.

• Scalable by design: Automatically scales with GCP infrastructure.

• Policy consistency: Centrally manage and apply security rules across the organization, folders, or networks.

• Simplified operations: Infrastructure is abstracted, admins only manage security policies, not systems.

---

💡 Use Cases:

• Microsegmentation of workloads in multi-VPC environments.

• Zero Trust implementation using identity and tag-based rules.

• Layer 7 protection for web apps, APIs, and services.

• Regulatory compliance with TLS inspection (PCI, HIPAA, etc.).

🌐 Step-by-Step: Configure Global Network Firewall Policy for Ingress

🔹 Step 1: Enable Required APIs

Make sure the necessary APIs are enabled:

bashCopyEditgcloud services enable compute.googleapis.com

---

🔹 Step 2: Create a Global Network Firewall Policy

bashCopyEditgcloud compute network-firewall-policies create my-global-policy \
  --global \
  --description="Global policy to allow ingress traffic"

---

🔹 Step 3: Add an Ingress Rule to Allow Traffic

For example, allow HTTP (TCP port 80) from any source:

bashCopyEditgcloud compute network-firewall-policies rules create 1000 \
  --firewall-policy=my-global-policy \
  --global-firewall-policy \
  --direction=INGRESS \
  --action=allow \
  --priority=1000 \
  --rules=tcp:80 \
  --src-ip-ranges=0.0.0.0/0 \
  --description="Allow ingress HTTP traffic"

🔹 Rule Parameters:

• --priority: Lower numbers have higher precedence.

• --src-ip-ranges: Specify source IP ranges (use 0.0.0.0/0 for all).

• --rules: Protocol and port (e.g., tcp:80 for HTTP).

---

🔹 Step 4: Attach the Global Policy to a VPC Network

You must attach the policy to a specific VPC network:

bashCopyEditgcloud compute network-firewall-policies associations create global-fw-association \
  --firewall-policy=my-global-policy \
  --network=projects/PROJECT_ID/global/networks/VPC_NAME \
  --global

Replace:

• PROJECT_ID With your GCP project ID

• VPC_NAME With the target VPC network name

🛠️ Step-by-Step: Allow Egress Traffic Using a Hierarchical Firewall Policy

🔹 Step 1: Set Required Variables

Replace these placeholders with actual values:

bashCopyEditORG_ID="your-org-id"               # e.g., 123456789012
FOLDER_ID="your-folder-id"         # Optional
POLICY_NAME="egress-policy"
VPC_NETWORK="your-vpc-name"
PROJECT_ID="your-project-id"

---

🔹 Step 2: Create a Hierarchical Firewall Policy

At the organization level:

bashCopyEditgcloud compute org-firewall-policies create $POLICY_NAME \
  --organization=$ORG_ID \
  --description="Allow egress traffic from specific VPC"

Or at the folder level:

bashCopyEditgcloud compute org-firewall-policies create $POLICY_NAME \
  --folder=$FOLDER_ID \
  --description="Allow egress traffic from specific VPC"

---

🔹 Step 3: Add an Egress Allow Rule

For example, to allow all egress traffic:

bashCopyEditgcloud compute org-firewall-policies rules create 1000 \
  --firewall-policy=$POLICY_NAME \
  --direction=EGRESS \
  --action=allow \
  --priority=1000 \
  --rules=all \
  --destination-ip-ranges=0.0.0.0/0 \
  --target-resources="projects/$PROJECT_ID/global/networks/$VPC_NETWORK" \
  --description="Allow all egress from specific VPC"

🔎 Key flags:

• --direction=EGRESS: Specifies this is an egress rule.

• --rules=all: Matches all protocols and ports (can be tcp:443, etc.).

• --destination-ip-ranges: Use 0.0.0.0/0 to allow to all IPs.

• --target-resources: The specific VPC network this rule applies to.

---

🔹 Step 4: Verify the Rule and Policy

List all rules:

bashCopyEditgcloud compute org-firewall-policies rules list --firewall-policy=$POLICY_NAME

List the policy:

bashCopyEditgcloud compute org-firewall-policies list --organization=$ORG_ID

---

✅ Result

This configuration allows all outbound traffic from the specified VPC network using a centrally managed hierarchical firewall policy. It helps enforce consistent security controls across multiple projects while maintaining project-level flexibility.

🧱 What Are Firewall Policies in Google Cloud?

Firewall policies are logical containers that group multiple firewall rules and can be enforced across multiple VPC networks. They support IAM-based access control, versioning, priority-based evaluation, and advanced rule actions like traffic inspection.

🔐 Types of Firewall Policies:

• Hierarchical Firewall Policies

• Global Network Firewall Policies

• Regional Network Firewall Policies

---

🏢 Hierarchical Firewall Policies

Hierarchical firewall policies allow you to define organization- or folder-level rules that apply across projects and VPCs—ideal for centrally managed security.

✅ Key Capabilities

• Apply policies at the organization or folder level.

• Enforce global security posture consistently.

• Use IAM to delegate control at different levels (Org, Folder).

🎯 Use Case

Allow or block specific traffic (e.g., deny SSH from public IPs) across all production VPCs in multiple projects.

---

🌐 Global Network Firewall Policies

These policies are defined at the VPC network level and apply to all regions of that VPC.

✅ Key Capabilities

• Centrally manage rules for a global VPC.

• Rules apply to all resources across regions.

• Can include goto_next, allow, deny, or apply_security_profile_group.

🎯 Use Case

Block all inbound traffic except TCP 443 across the entire VPC.

---

📍 Regional Network Firewall Policies

Regional firewall policies are scoped to a specific region in a VPC network. They help apply granular control per region.

✅ Key Capabilities

• Apply region-specific security controls.

• Useful for multi-region deployments or zonal segmentation.

🎯 Use Case

Allow only internal communication in europe-west1, while allowing internet access in us-central1.

---

🔄 Policy and Rule Evaluation Order

Firewall policies are evaluated based on priority and the order of attachment to the resource hierarchy:

1. Hierarchical Firewall Policies

   • Organization > Folder > Subfolder

   • Highest-priority matching rule determines action (allow/deny/inspect/goto_next).

2. VPC Firewall Rules

   • Evaluated next if networkFirewallPolicyEnforcementOrder = AFTER_CLASSIC_FIREWALL (default).

3. Global Network Firewall Policies

   • Apply to the VPC if explicitly associated.

4. Regional Network Firewall Policies

   • Apply only to a specific region.

5. Implied Rules

   • Allow all egress

   • Deny all ingress (unless otherwise specified)

🔄 Use the networkFirewallPolicyEnforcementOrder flag to control if VPC rules are evaluated before or after network firewall policies.

---

🔧 Example: Allow Egress via Hierarchical Policy

bashCopyEditgcloud compute org-firewall-policies create allow-egress \
  --organization=123456789012 \
  --description="Allow egress to internet"

gcloud compute org-firewall-policies rules create 1000 \
  --firewall-policy=allow-egress \
  --direction=EGRESS \
  --action=allow \
  --rules=all \
  --destination-ip-ranges=0.0.0.0/0 \
  --target-resources="projects/my-project/global/networks/my-vpc" \
  --priority=1000

---

🔐 Advanced Actions: Deep Packet Inspection

With the apply_security_profile_group action, you can redirect traffic to Google Cloud Firewall endpoints for Layer 7 inspection, enabling advanced threat detection, logging, and zero-trust segmentation.

🔍 Example:

bashCopyEdit--action=apply_security_profile_group \
--security-profile-group=projects/my-secproj/locations/global/securityProfileGroups/my-profile

---

✅ Best Practices

• Use hierarchical policies for broad enforcement (deny risky ports, allow required traffic).

• Segment policies globally and regionally for flexibility and isolation.

• Use goto_next to layer policies (e.g., Org > Folder > Project).

• Enable logging for all critical rules for auditing.

• Set IAM roles carefully to restrict who can change policies.

📐 Firewall Policy Rule Components

Each firewall policy rule is defined by:

• Direction: INGRESS (incoming) or EGRESS (outgoing).

• Action: allow, deny, apply_security_profile_group, goto_next.

• Priority: Lower number = higher priority.

• Match Conditions:

  • Source or destination IPs

  • Protocols and ports (e.g., tcp:443)

  • Target resources (VMs, service accounts, tags)

✅ Example: Allow egress TCP traffic to port 443 for VMs with the tag web.

---

🔄 Evaluation Order: How GCP Processes Rules

Firewall policies follow a strict evaluation order that determines which rule applies:

1. Hierarchical Firewall Policies – evaluated top-down (org → folder).

2. VPC Firewall Rules – unless you override the order.

3. Global Network Firewall Policies

4. Regional Network Firewall Policies

5. Implied Rules:

   • Allow all egress

   • Deny all ingress

📌 You can control whether network firewall policies are evaluated before or after VPC firewall rules using:

bashCopyEditgcloud compute networks update <NETWORK_NAME> \
  --set-enable-firewall-policy-logging \
  --network-firewall-policy-enforcement-order=BEFORE_CLASSIC_FIREWALL

---

🧪 Example Scenarios

✅ Use Case 1: Allow Ingress HTTP Globally

bashCopyEditgcloud compute network-firewall-policies rules create 1000 \
  --firewall-policy=global-policy \
  --direction=INGRESS \
  --action=allow \
  --priority=1000 \
  --rules=tcp:80 \
  --target-resources="projects/my-project/global/networks/my-vpc"

---

✅ Use Case 2: Deny Egress SSH from Folder-Level Policy

bashCopyEditgcloud compute org-firewall-policies rules create 900 \
  --firewall-policy=my-folder-policy \
  --direction=EGRESS \
  --action=deny \
  --priority=900 \
  --rules=tcp:22 \
  --destination-ip-ranges=0.0.0.0/0 \
  --target-resources="projects/my-project/global/networks/my-vpc"

---

🧠 Best Practices for Using Firewall Policies

• 🧩 Use hierarchy wisely: Place common controls at the org level; allow flexibility at the project level.

• 🛑 Deny by default: Start with deny-all and explicitly allow what’s needed.

• 📈 Use goto_next: Chain rules across policy levels for flexible evaluation.

• 🧪 Test before applying: Use dry-run modes or apply rules in non-prod first.

• 🔍 Enable logging: Always enable firewall rule logging for visibility and auditing.

🎯 Conclusion

GCP's Next-Gen Firewall framework gives you cloud-native security controls that are scalable, centralized, and intelligent. By leveraging hierarchical, global, and regional policies, enterprises can confidently govern network traffic across complex, multi-project environments while adhering to security best practices.