Firewall
Hierarchy
There are several successive levels of firewall enforcement, ranging from organization down to resources, so the possible scopes are :
- Organization
- Folder
- Resource
A distinction worth making explicit : a policy is a set of rules grouped in an object, it must be attached to a node to take effect. A rule is the individual condition to satisfy. Each rule carries a priority, lower numbers are evaluated first.
When a “policy” is involved, you get granularity and processing at the application layer level. When it’s a “rule”, it’s strictly deny or allow and nothing more.
A policy can be attached to :
- Organization
- Folder
- VPC (this is called the global policy)
- Region
Possible rule actions :
allow: grants access, ends evaluationdeny: blocks access, ends evaluationgoto_next: evaluates the next policyapply_security_profile_group: routes traffic through a configured security profile
No default policy on a VPC
A VPC has no default policy, only allow or deny outcomes. Absent any policy, outbound traffic is allowed and inbound traffic is denied by default.
Keeping the diagram valid, default rules are fixed
You cannot modify or delete the following rules:
- An egress rule with destination IPv6 range
::/0, priority2147483644, andgoto_nextaction.- An ingress rule with source IPv6 range
::/0, priority2147483645, andgoto_nextaction.- An egress rule with destination IPv4 range
0.0.0.0/0, priority2147483646, andgoto_nextaction.- An ingress rule with source IPv4 range
0.0.0.0/0, priority2147483647, andgoto_nextaction.
Specifying goto_next is essential if you want subsequent rules to actually be evaluated, otherwise every following check is skipped entirely.
Example :
goto_next
Critically important in large-scale hierarchical configurations. Without it, the entire logical firewall architecture gets thrown off as soon as the first rule that doesn’t use
goto_nextresolves with a plain allow instead.
At equal priority, deny rules take precedence over allow.
Firewall rules tied to VPC
See the Firewall section in the VPC note for the pre-populated default rules and their behavior.
Network Topology
A topology service for observing VPCs and GKE. Useful for visually identifying configurations and the overall architecture of the environment.
Feature still to be tested to see whether it can be used at no extra cost for the client, and for testing purposes too (potential indirect costs tied to the service?).
