π₯ Mastering GCP Next-Gen Firewall: A Deep Dive into Cloud NGFW and Firewall Policies


π Overview: Google Cloud Next-Gen Firewall
Google Cloud Next-Gen Firewall (Cloud NGFW) is a fully managed, distributed firewall service designed to provide advanced network and application-level security for workloads in Google Cloud Platform (GCP). Unlike traditional firewalls that rely on static appliances, Cloud NGFW leverages Googleβs high-performance Andromeda network virtualization stack to enforce security policies at scale and without bottlenecks.
π Key Features:
Layer 3/4 & Layer 7 Protection: Supports traditional IP/port rules as well as advanced application-layer (L7) inspection.
Fully Managed by Google: No need to deploy or manage firewall appliances. Google handles endpoint deployment, scaling, availability, and updates.
Distributed Architecture: Security enforcement happens close to the workload (VM), minimizing latency and maximizing scalability.
Deep Packet Inspection (DPI): Enterprise tier includes traffic decryption and inspection to detect malware, exploits, and command-and-control (C2) traffic.
Threat Intelligence Integration: Blocks traffic from known malicious IPs and TOR exit nodes using Google Threat Intelligence feeds.
IAM-Integrated Policies: Supports identity-based segmentation using IAM-governed tags.
π¦ Tiers of Service:
Essentials Tier
Basic firewall rules using IPs, ports, protocols, tags, and address groups.
Hierarchical policy support.
Standard Tier
Adds support for Fully Qualified Domain Name (FQDN) filtering and geo-based rules.
Includes threat intelligence deny lists.
Enterprise Tier
Enables Layer 7 deep packet inspection (DPI), TLS decryption, and intrusion prevention.
Powered by Palo Alto Networks Threat Prevention engine.
π― Why Use Cloud NGFW?
No chokepoints: Unlike traditional firewall appliances, there's no single point of inspection or failure.
Scalable by design: Automatically scales with GCP infrastructure.
Policy consistency: Centrally manage and apply security rules across the organization, folders, or networks.
Simplified operations: Infrastructure is abstracted, admins only manage security policies, not systems.
π‘ Use Cases:
Microsegmentation of workloads in multi-VPC environments.
Zero Trust implementation using identity and tag-based rules.
Layer 7 protection for web apps, APIs, and services.
Regulatory compliance with TLS inspection (PCI, HIPAA, etc.).
π Step-by-Step: Configure Global Network Firewall Policy for Ingress
πΉ Step 1: Enable Required APIs
Make sure the necessary APIs are enabled:
bashCopyEditgcloud services enable compute.googleapis.com
πΉ Step 2: Create a Global Network Firewall Policy
bashCopyEditgcloud compute network-firewall-policies create my-global-policy \
--global \
--description="Global policy to allow ingress traffic"
πΉ Step 3: Add an Ingress Rule to Allow Traffic
For example, allow HTTP (TCP port 80) from any source:
bashCopyEditgcloud compute network-firewall-policies rules create 1000 \
--firewall-policy=my-global-policy \
--global-firewall-policy \
--direction=INGRESS \
--action=allow \
--priority=1000 \
--rules=tcp:80 \
--src-ip-ranges=0.0.0.0/0 \
--description="Allow ingress HTTP traffic"
πΉ Rule Parameters:
--priority
: Lower numbers have higher precedence.--src-ip-ranges
: Specify source IP ranges (use0.0.0.0/0
for all).--rules
: Protocol and port (e.g.,tcp:80
for HTTP).
πΉ Step 4: Attach the Global Policy to a VPC Network
You must attach the policy to a specific VPC network:
bashCopyEditgcloud compute network-firewall-policies associations create global-fw-association \
--firewall-policy=my-global-policy \
--network=projects/PROJECT_ID/global/networks/VPC_NAME \
--global
Replace:
PROJECT_ID
With your GCP project IDVPC_NAME
With the target VPC network name
π οΈ Step-by-Step: Allow Egress Traffic Using a Hierarchical Firewall Policy
πΉ Step 1: Set Required Variables
Replace these placeholders with actual values:
bashCopyEditORG_ID="your-org-id" # e.g., 123456789012
FOLDER_ID="your-folder-id" # Optional
POLICY_NAME="egress-policy"
VPC_NETWORK="your-vpc-name"
PROJECT_ID="your-project-id"
πΉ Step 2: Create a Hierarchical Firewall Policy
At the organization level:
bashCopyEditgcloud compute org-firewall-policies create $POLICY_NAME \
--organization=$ORG_ID \
--description="Allow egress traffic from specific VPC"
Or at the folder level:
bashCopyEditgcloud compute org-firewall-policies create $POLICY_NAME \
--folder=$FOLDER_ID \
--description="Allow egress traffic from specific VPC"
πΉ Step 3: Add an Egress Allow Rule
For example, to allow all egress traffic:
bashCopyEditgcloud compute org-firewall-policies rules create 1000 \
--firewall-policy=$POLICY_NAME \
--direction=EGRESS \
--action=allow \
--priority=1000 \
--rules=all \
--destination-ip-ranges=0.0.0.0/0 \
--target-resources="projects/$PROJECT_ID/global/networks/$VPC_NETWORK" \
--description="Allow all egress from specific VPC"
π Key flags:
--direction=EGRESS
: Specifies this is an egress rule.--rules=all
: Matches all protocols and ports (can betcp:443
, etc.).--destination-ip-ranges
: Use0.0.0.0/0
to allow to all IPs.--target-resources
: The specific VPC network this rule applies to.
πΉ Step 4: Verify the Rule and Policy
List all rules:
bashCopyEditgcloud compute org-firewall-policies rules list --firewall-policy=$POLICY_NAME
List the policy:
bashCopyEditgcloud compute org-firewall-policies list --organization=$ORG_ID
β Result
This configuration allows all outbound traffic from the specified VPC network using a centrally managed hierarchical firewall policy. It helps enforce consistent security controls across multiple projects while maintaining project-level flexibility.
π§± What Are Firewall Policies in Google Cloud?
Firewall policies are logical containers that group multiple firewall rules and can be enforced across multiple VPC networks. They support IAM-based access control, versioning, priority-based evaluation, and advanced rule actions like traffic inspection.
π Types of Firewall Policies:
Hierarchical Firewall Policies
Global Network Firewall Policies
Regional Network Firewall Policies
π’ Hierarchical Firewall Policies
Hierarchical firewall policies allow you to define organization- or folder-level rules that apply across projects and VPCsβideal for centrally managed security.
β Key Capabilities
Apply policies at the organization or folder level.
Enforce global security posture consistently.
Use IAM to delegate control at different levels (Org, Folder).
π― Use Case
Allow or block specific traffic (e.g., deny SSH from public IPs) across all production VPCs in multiple projects.
π Global Network Firewall Policies
These policies are defined at the VPC network level and apply to all regions of that VPC.
β Key Capabilities
Centrally manage rules for a global VPC.
Rules apply to all resources across regions.
Can include
goto_next
,allow
,deny
, orapply_security_profile_group
.
π― Use Case
Block all inbound traffic except TCP 443 across the entire VPC.
π Regional Network Firewall Policies
Regional firewall policies are scoped to a specific region in a VPC network. They help apply granular control per region.
β Key Capabilities
Apply region-specific security controls.
Useful for multi-region deployments or zonal segmentation.
π― Use Case
Allow only internal communication in europe-west1
, while allowing internet access in us-central1
.
π Policy and Rule Evaluation Order
Firewall policies are evaluated based on priority and the order of attachment to the resource hierarchy:
Hierarchical Firewall Policies
Organization > Folder > Subfolder
Highest-priority matching rule determines action (allow/deny/inspect/goto_next).
VPC Firewall Rules
- Evaluated next if
networkFirewallPolicyEnforcementOrder = AFTER_CLASSIC_FIREWALL
(default).
- Evaluated next if
Global Network Firewall Policies
- Apply to the VPC if explicitly associated.
Regional Network Firewall Policies
- Apply only to a specific region.
Implied Rules
Allow all egress
Deny all ingress (unless otherwise specified)
π Use the
networkFirewallPolicyEnforcementOrder
flag to control if VPC rules are evaluated before or after network firewall policies.
π§ Example: Allow Egress via Hierarchical Policy
bashCopyEditgcloud compute org-firewall-policies create allow-egress \
--organization=123456789012 \
--description="Allow egress to internet"
gcloud compute org-firewall-policies rules create 1000 \
--firewall-policy=allow-egress \
--direction=EGRESS \
--action=allow \
--rules=all \
--destination-ip-ranges=0.0.0.0/0 \
--target-resources="projects/my-project/global/networks/my-vpc" \
--priority=1000
π Advanced Actions: Deep Packet Inspection
With the apply_security_profile_group
action, you can redirect traffic to Google Cloud Firewall endpoints for Layer 7 inspection, enabling advanced threat detection, logging, and zero-trust segmentation.
π Example:
bashCopyEdit--action=apply_security_profile_group \
--security-profile-group=projects/my-secproj/locations/global/securityProfileGroups/my-profile
β Best Practices
Use hierarchical policies for broad enforcement (deny risky ports, allow required traffic).
Segment policies globally and regionally for flexibility and isolation.
Use
goto_next
to layer policies (e.g., Org > Folder > Project).Enable logging for all critical rules for auditing.
Set IAM roles carefully to restrict who can change policies.
π Firewall Policy Rule Components
Each firewall policy rule is defined by:
Direction:
INGRESS
(incoming) orEGRESS
(outgoing).Action:
allow
,deny
,apply_security_profile_group
,goto_next
.Priority: Lower number = higher priority.
Match Conditions:
Source or destination IPs
Protocols and ports (e.g.,
tcp:443
)Target resources (VMs, service accounts, tags)
β
Example: Allow egress TCP traffic to port 443 for VMs with the tag web
.
π Evaluation Order: How GCP Processes Rules
Firewall policies follow a strict evaluation order that determines which rule applies:
Hierarchical Firewall Policies β evaluated top-down (org β folder).
VPC Firewall Rules β unless you override the order.
Global Network Firewall Policies
Regional Network Firewall Policies
Implied Rules:
Allow all egress
Deny all ingress
π You can control whether network firewall policies are evaluated before or after VPC firewall rules using:
bashCopyEditgcloud compute networks update <NETWORK_NAME> \
--set-enable-firewall-policy-logging \
--network-firewall-policy-enforcement-order=BEFORE_CLASSIC_FIREWALL
π§ͺ Example Scenarios
β Use Case 1: Allow Ingress HTTP Globally
bashCopyEditgcloud compute network-firewall-policies rules create 1000 \
--firewall-policy=global-policy \
--direction=INGRESS \
--action=allow \
--priority=1000 \
--rules=tcp:80 \
--target-resources="projects/my-project/global/networks/my-vpc"
β Use Case 2: Deny Egress SSH from Folder-Level Policy
bashCopyEditgcloud compute org-firewall-policies rules create 900 \
--firewall-policy=my-folder-policy \
--direction=EGRESS \
--action=deny \
--priority=900 \
--rules=tcp:22 \
--destination-ip-ranges=0.0.0.0/0 \
--target-resources="projects/my-project/global/networks/my-vpc"
π§ Best Practices for Using Firewall Policies
π§© Use hierarchy wisely: Place common controls at the org level; allow flexibility at the project level.
π Deny by default: Start with deny-all and explicitly allow whatβs needed.
π Use
goto_next
: Chain rules across policy levels for flexible evaluation.π§ͺ Test before applying: Use dry-run modes or apply rules in non-prod first.
π Enable logging: Always enable firewall rule logging for visibility and auditing.
π― Conclusion
GCP's Next-Gen Firewall framework gives you cloud-native security controls that are scalable, centralized, and intelligent. By leveraging hierarchical, global, and regional policies, enterprises can confidently govern network traffic across complex, multi-project environments while adhering to security best practices.
Subscribe to my newsletter
Read articles from Mostafa Elkattan directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by

Mostafa Elkattan
Mostafa Elkattan
Multi Cloud & AI Architect with 18+ years of experience Cloud Solution Architecture (AWS, Google, Azure), DevOps, Disaster Recovery. Forefront of driving cloud innovation. From architecting scalable infrastructures to optimizing. Providing solutions with a great customer experience.