πŸ”₯ Mastering GCP Next-Gen Firewall: A Deep Dive into Cloud NGFW and Firewall Policies

πŸ” Overview: Google Cloud Next-Gen Firewall

Google Cloud Next-Gen Firewall (Cloud NGFW) is a fully managed, distributed firewall service designed to provide advanced network and application-level security for workloads in Google Cloud Platform (GCP). Unlike traditional firewalls that rely on static appliances, Cloud NGFW leverages Google’s high-performance Andromeda network virtualization stack to enforce security policies at scale and without bottlenecks.

πŸ”‘ Key Features:

  • Layer 3/4 & Layer 7 Protection: Supports traditional IP/port rules as well as advanced application-layer (L7) inspection.

  • Fully Managed by Google: No need to deploy or manage firewall appliances. Google handles endpoint deployment, scaling, availability, and updates.

  • Distributed Architecture: Security enforcement happens close to the workload (VM), minimizing latency and maximizing scalability.

  • Deep Packet Inspection (DPI): Enterprise tier includes traffic decryption and inspection to detect malware, exploits, and command-and-control (C2) traffic.

  • Threat Intelligence Integration: Blocks traffic from known malicious IPs and TOR exit nodes using Google Threat Intelligence feeds.

  • IAM-Integrated Policies: Supports identity-based segmentation using IAM-governed tags.


πŸ“¦ Tiers of Service:

  1. Essentials Tier

    • Basic firewall rules using IPs, ports, protocols, tags, and address groups.

    • Hierarchical policy support.

  2. Standard Tier

    • Adds support for Fully Qualified Domain Name (FQDN) filtering and geo-based rules.

    • Includes threat intelligence deny lists.

  3. Enterprise Tier

    • Enables Layer 7 deep packet inspection (DPI), TLS decryption, and intrusion prevention.

    • Powered by Palo Alto Networks Threat Prevention engine.


🎯 Why Use Cloud NGFW?

  • No chokepoints: Unlike traditional firewall appliances, there's no single point of inspection or failure.

  • Scalable by design: Automatically scales with GCP infrastructure.

  • Policy consistency: Centrally manage and apply security rules across the organization, folders, or networks.

  • Simplified operations: Infrastructure is abstracted, admins only manage security policies, not systems.


πŸ’‘ Use Cases:

  • Microsegmentation of workloads in multi-VPC environments.

  • Zero Trust implementation using identity and tag-based rules.

  • Layer 7 protection for web apps, APIs, and services.

  • Regulatory compliance with TLS inspection (PCI, HIPAA, etc.).

🌐 Step-by-Step: Configure Global Network Firewall Policy for Ingress

πŸ”Ή Step 1: Enable Required APIs

Make sure the necessary APIs are enabled:

bashCopyEditgcloud services enable compute.googleapis.com

πŸ”Ή Step 2: Create a Global Network Firewall Policy

bashCopyEditgcloud compute network-firewall-policies create my-global-policy \
  --global \
  --description="Global policy to allow ingress traffic"

πŸ”Ή Step 3: Add an Ingress Rule to Allow Traffic

For example, allow HTTP (TCP port 80) from any source:

bashCopyEditgcloud compute network-firewall-policies rules create 1000 \
  --firewall-policy=my-global-policy \
  --global-firewall-policy \
  --direction=INGRESS \
  --action=allow \
  --priority=1000 \
  --rules=tcp:80 \
  --src-ip-ranges=0.0.0.0/0 \
  --description="Allow ingress HTTP traffic"

πŸ”Ή Rule Parameters:

  • --priority: Lower numbers have higher precedence.

  • --src-ip-ranges: Specify source IP ranges (use 0.0.0.0/0 for all).

  • --rules: Protocol and port (e.g., tcp:80 for HTTP).


πŸ”Ή Step 4: Attach the Global Policy to a VPC Network

You must attach the policy to a specific VPC network:

bashCopyEditgcloud compute network-firewall-policies associations create global-fw-association \
  --firewall-policy=my-global-policy \
  --network=projects/PROJECT_ID/global/networks/VPC_NAME \
  --global

Replace:

  • PROJECT_ID With your GCP project ID

  • VPC_NAME With the target VPC network name

πŸ› οΈ Step-by-Step: Allow Egress Traffic Using a Hierarchical Firewall Policy

πŸ”Ή Step 1: Set Required Variables

Replace these placeholders with actual values:

bashCopyEditORG_ID="your-org-id"               # e.g., 123456789012
FOLDER_ID="your-folder-id"         # Optional
POLICY_NAME="egress-policy"
VPC_NETWORK="your-vpc-name"
PROJECT_ID="your-project-id"

πŸ”Ή Step 2: Create a Hierarchical Firewall Policy

At the organization level:

bashCopyEditgcloud compute org-firewall-policies create $POLICY_NAME \
  --organization=$ORG_ID \
  --description="Allow egress traffic from specific VPC"

Or at the folder level:

bashCopyEditgcloud compute org-firewall-policies create $POLICY_NAME \
  --folder=$FOLDER_ID \
  --description="Allow egress traffic from specific VPC"

πŸ”Ή Step 3: Add an Egress Allow Rule

For example, to allow all egress traffic:

bashCopyEditgcloud compute org-firewall-policies rules create 1000 \
  --firewall-policy=$POLICY_NAME \
  --direction=EGRESS \
  --action=allow \
  --priority=1000 \
  --rules=all \
  --destination-ip-ranges=0.0.0.0/0 \
  --target-resources="projects/$PROJECT_ID/global/networks/$VPC_NETWORK" \
  --description="Allow all egress from specific VPC"

πŸ”Ž Key flags:

  • --direction=EGRESS: Specifies this is an egress rule.

  • --rules=all: Matches all protocols and ports (can be tcp:443, etc.).

  • --destination-ip-ranges: Use 0.0.0.0/0 to allow to all IPs.

  • --target-resources: The specific VPC network this rule applies to.


πŸ”Ή Step 4: Verify the Rule and Policy

List all rules:

bashCopyEditgcloud compute org-firewall-policies rules list --firewall-policy=$POLICY_NAME

List the policy:

bashCopyEditgcloud compute org-firewall-policies list --organization=$ORG_ID

βœ… Result

This configuration allows all outbound traffic from the specified VPC network using a centrally managed hierarchical firewall policy. It helps enforce consistent security controls across multiple projects while maintaining project-level flexibility.

🧱 What Are Firewall Policies in Google Cloud?

Firewall policies are logical containers that group multiple firewall rules and can be enforced across multiple VPC networks. They support IAM-based access control, versioning, priority-based evaluation, and advanced rule actions like traffic inspection.

πŸ” Types of Firewall Policies:

  • Hierarchical Firewall Policies

  • Global Network Firewall Policies

  • Regional Network Firewall Policies


🏒 Hierarchical Firewall Policies

Hierarchical firewall policies allow you to define organization- or folder-level rules that apply across projects and VPCsβ€”ideal for centrally managed security.

βœ… Key Capabilities

  • Apply policies at the organization or folder level.

  • Enforce global security posture consistently.

  • Use IAM to delegate control at different levels (Org, Folder).

🎯 Use Case

Allow or block specific traffic (e.g., deny SSH from public IPs) across all production VPCs in multiple projects.


🌐 Global Network Firewall Policies

These policies are defined at the VPC network level and apply to all regions of that VPC.

βœ… Key Capabilities

  • Centrally manage rules for a global VPC.

  • Rules apply to all resources across regions.

  • Can include goto_next, allow, deny, or apply_security_profile_group.

🎯 Use Case

Block all inbound traffic except TCP 443 across the entire VPC.


πŸ“ Regional Network Firewall Policies

Regional firewall policies are scoped to a specific region in a VPC network. They help apply granular control per region.

βœ… Key Capabilities

  • Apply region-specific security controls.

  • Useful for multi-region deployments or zonal segmentation.

🎯 Use Case

Allow only internal communication in europe-west1, while allowing internet access in us-central1.


πŸ”„ Policy and Rule Evaluation Order

Firewall policies are evaluated based on priority and the order of attachment to the resource hierarchy:

  1. Hierarchical Firewall Policies

    • Organization > Folder > Subfolder

    • Highest-priority matching rule determines action (allow/deny/inspect/goto_next).

  2. VPC Firewall Rules

    • Evaluated next if networkFirewallPolicyEnforcementOrder = AFTER_CLASSIC_FIREWALL (default).
  3. Global Network Firewall Policies

    • Apply to the VPC if explicitly associated.
  4. Regional Network Firewall Policies

    • Apply only to a specific region.
  5. Implied Rules

    • Allow all egress

    • Deny all ingress (unless otherwise specified)

πŸ”„ Use the networkFirewallPolicyEnforcementOrder flag to control if VPC rules are evaluated before or after network firewall policies.


πŸ”§ Example: Allow Egress via Hierarchical Policy

bashCopyEditgcloud compute org-firewall-policies create allow-egress \
  --organization=123456789012 \
  --description="Allow egress to internet"

gcloud compute org-firewall-policies rules create 1000 \
  --firewall-policy=allow-egress \
  --direction=EGRESS \
  --action=allow \
  --rules=all \
  --destination-ip-ranges=0.0.0.0/0 \
  --target-resources="projects/my-project/global/networks/my-vpc" \
  --priority=1000

πŸ” Advanced Actions: Deep Packet Inspection

With the apply_security_profile_group action, you can redirect traffic to Google Cloud Firewall endpoints for Layer 7 inspection, enabling advanced threat detection, logging, and zero-trust segmentation.

πŸ” Example:

bashCopyEdit--action=apply_security_profile_group \
--security-profile-group=projects/my-secproj/locations/global/securityProfileGroups/my-profile

βœ… Best Practices

  • Use hierarchical policies for broad enforcement (deny risky ports, allow required traffic).

  • Segment policies globally and regionally for flexibility and isolation.

  • Use goto_next to layer policies (e.g., Org > Folder > Project).

  • Enable logging for all critical rules for auditing.

  • Set IAM roles carefully to restrict who can change policies.

πŸ“ Firewall Policy Rule Components

Each firewall policy rule is defined by:

  • Direction: INGRESS (incoming) or EGRESS (outgoing).

  • Action: allow, deny, apply_security_profile_group, goto_next.

  • Priority: Lower number = higher priority.

  • Match Conditions:

    • Source or destination IPs

    • Protocols and ports (e.g., tcp:443)

    • Target resources (VMs, service accounts, tags)

βœ… Example: Allow egress TCP traffic to port 443 for VMs with the tag web.


πŸ”„ Evaluation Order: How GCP Processes Rules

Firewall policies follow a strict evaluation order that determines which rule applies:

  1. Hierarchical Firewall Policies – evaluated top-down (org β†’ folder).

  2. VPC Firewall Rules – unless you override the order.

  3. Global Network Firewall Policies

  4. Regional Network Firewall Policies

  5. Implied Rules:

    • Allow all egress

    • Deny all ingress

πŸ“Œ You can control whether network firewall policies are evaluated before or after VPC firewall rules using:

bashCopyEditgcloud compute networks update <NETWORK_NAME> \
  --set-enable-firewall-policy-logging \
  --network-firewall-policy-enforcement-order=BEFORE_CLASSIC_FIREWALL

πŸ§ͺ Example Scenarios

βœ… Use Case 1: Allow Ingress HTTP Globally

bashCopyEditgcloud compute network-firewall-policies rules create 1000 \
  --firewall-policy=global-policy \
  --direction=INGRESS \
  --action=allow \
  --priority=1000 \
  --rules=tcp:80 \
  --target-resources="projects/my-project/global/networks/my-vpc"

βœ… Use Case 2: Deny Egress SSH from Folder-Level Policy

bashCopyEditgcloud compute org-firewall-policies rules create 900 \
  --firewall-policy=my-folder-policy \
  --direction=EGRESS \
  --action=deny \
  --priority=900 \
  --rules=tcp:22 \
  --destination-ip-ranges=0.0.0.0/0 \
  --target-resources="projects/my-project/global/networks/my-vpc"

🧠 Best Practices for Using Firewall Policies

  • 🧩 Use hierarchy wisely: Place common controls at the org level; allow flexibility at the project level.

  • πŸ›‘ Deny by default: Start with deny-all and explicitly allow what’s needed.

  • πŸ“ˆ Use goto_next: Chain rules across policy levels for flexible evaluation.

  • πŸ§ͺ Test before applying: Use dry-run modes or apply rules in non-prod first.

  • πŸ” Enable logging: Always enable firewall rule logging for visibility and auditing.

🎯 Conclusion

GCP's Next-Gen Firewall framework gives you cloud-native security controls that are scalable, centralized, and intelligent. By leveraging hierarchical, global, and regional policies, enterprises can confidently govern network traffic across complex, multi-project environments while adhering to security best practices.

0
Subscribe to my newsletter

Read articles from Mostafa Elkattan directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Mostafa Elkattan
Mostafa Elkattan

Multi Cloud & AI Architect with 18+ years of experience Cloud Solution Architecture (AWS, Google, Azure), DevOps, Disaster Recovery. Forefront of driving cloud innovation. From architecting scalable infrastructures to optimizing. Providing solutions with a great customer experience.