Create and manage firewall endpoints
This page explains how to configure and manage a firewall endpoint andassociate it with a Virtual Private Cloud (VPC) network by using theGoogle Cloud console and Google Cloud CLI.
You create afirewall endpoint at azonal level, and then associate it with one or more VPCnetworks in the same zone. If you have enabled Layer 7 inspection in the firewallpolicy associated with your VPC network, the matched trafficis transparently intercepted and forwarded to the firewall endpoint.
You can create a firewall endpoint with or without jumbo frame support. Forinformation about the packet sizes supported by firewall endpoints, seeSupported packet size.
Note: To check the progress of the operations listed on this page, make sure that your user role has the followingCompute Network User role (roles/compute.networkUser) permissions:networksecurity.operations.getnetworksecurity.operations.list
Before you begin
You need aVPC network andasubnet.
You mustenabletheCompute Engine API in your Google Cloud project.
You mustenabletheNetwork Security APIin the Google Cloud project that you want to use for billing.
You mustenabletheCertificate Authority Service APIin your Google Cloud project.
Install thegcloud CLI if you want to run the
gcloudcommand-line examples in this guide.
Roles
To get the permissions that you need to create, view, update, or deletefirewall endpoints, ask your administrator to grant you the necessaryIAM roles on yourorganization. For more information about granting roles, seeManage access.
Quotas
To view quotas for firewall endpoints and associations, seeQuotas and limits.
Create a firewall endpoint
Create a firewall endpoint in a specific zone.
Note: Cloud NGFW might take up to 20 minutes to create a firewallendpoint and an additional 15 minutes to create firewall endpoint associations.Permissions required for this task
To perform this task, you must have been granted the following permissionsor one of the following IAM roles on your organization.
Permissions
networksecurity.firewallEndpoints.create
Roles
- Compute Network Admin (
roles/compute.networkAdmin) - Firewall Endpoint Admin (
roles/networksecurity.firewallEndpointAdmin)
Console
In the Google Cloud console, go to theFirewall endpoints page.
In the project selector menu, select your organization.
ClickCreate.
In theRegion list, select the region where you want to createthe firewall endpoint.
In theZone list, select the zone where you want to createthe firewall endpoint.
Enter a name in theName field.Don't include sensitive information such as personally identifiable information or security data in the firewall endpoint name.
In theBilling project list, select the Google Cloud project that you want touse for billing the firewall endpoint.
ClickContinue.
If you want the endpoint to support jumbo frames, select theEnable jumbo frames support checkbox; otherwise, clear this checkbox.
ClickContinue.
If you want to add a firewall endpoint association,clickAdd endpoint association, else skip this step.
- In theProject list, select the Google Cloud project where you wantto create the firewall endpoint association.
- If the Compute Engine API or Network Security API are not enabled forthe Google Cloud project, clickEnable.
- In theNetwork list, select the network that you want toassociate to the firewall endpoint.
- In theTLS inspection policy list, select the TLS inspectionpolicy that you want to add to this association.
- To add another association, clickAdd endpoint association.
ClickCreate.
gcloud
To create a firewall endpoint, use thegcloud network-securityfirewall-endpoints createcommand:
gcloud network-security firewall-endpoints createNAME \ --organizationORGANIZATION_ID \ --zoneZONE \ --enable-jumbo-frames \ --billing-projectBILLING_PROJECT_ID
Replace the following:
NAME: the name of the firewall endpoint.Don't include sensitive information such as personally identifiable information or security data in the firewall endpoint name.ORGANIZATION_ID: the organization where the endpointis activated.ZONE: the zone where the endpoint is activated.BILLING_PROJECT_ID: a Google Cloud project ID to beused for billing of the firewall endpoint.
To create a firewall endpoint that supports jumbo frames up to 8,500 bytesin size, use the optional--enable-jumbo-frames flag. Skip thisflag to create an endpoint without jumbo frame support. Forinformation about the packet sizes supported by firewall endpoints, seeSupported packet size.
To associate the firewall endpoint to a VPC network, seeCreate firewall endpointassociations.
Terraform
Use thegoogle_network_security_firewall_endpoint Terraform resource.
resource "google_network_security_firewall_endpoint" "default" { name = "my-firewall-endpoint" parent = "organizations/123456789" location = "us-central1-a" billing_project_id = "my-project-name" enable_jumbo_frames = true}To create a firewall endpoint that supports jumbo frames up to 8,500 bytes insize, set the fieldenable_jumbo_frames toTrue. To create a firewallendpoint that doesn't support jumbo frames, set this field toFalse. Forinformation about the packet sizes supported by firewall endpoints, seeSupported packet size.
To learn how to apply or remove a Terraform configuration, seeBasic Terraform commands.
View a firewall endpoint
You can view the details of a specific firewall endpoint.
Permissions required for this task
To perform this task, you must have been granted the following permissionsor one of the following IAM roles on your organization.
Permissions
networksecurity.firewallEndpoints.get
Roles
- Compute Network Admin (
roles/compute.networkAdmin) - Compute Network User (
roles/compute.networkUser) - Compute Network Viewer (
roles/compute.networkViewer) - Firewall Endpoint Admin (
roles/networksecurity.firewallEndpointAdmin)
Console
In the Google Cloud console, go to theFirewall endpoints page.
In the project selector menu, select your organization.
TheFirewall endpoints page lists all the configured firewallendpoints in the organization.
Click the name of the firewall endpoint to view its details.
gcloud
To view details of a firewall endpoint, use thegcloud network-securityfirewall-endpoints describecommand:
gcloud network-security firewall-endpoints \ describeNAME \ --organizationORGANIZATION_ID \ --zoneZONE
Replace the following:
NAME: the name of the firewall endpoint.ORGANIZATION_ID: the organization where the endpointis activated.ZONE: the zone where the endpoint is activated.
List firewall endpoints
You can list all the firewall endpoints in an organization.
Permissions required for this task
To perform this task, you must have been granted the following permissionsor one of the following IAM roles on your organization.
Permissions
networksecurity.firewallEndpoints.list
Roles
- Compute Network Admin (
roles/compute.networkAdmin) - Compute Network User (
roles/compute.networkUser) - Compute Network Viewer (
roles/compute.networkViewer) - Firewall Endpoint Admin (
roles/networksecurity.firewallEndpointAdmin)
Console
In the Google Cloud console, go to theFirewall endpoints page.
TheFirewall endpoints page lists all the configured firewallendpoints in the organization.
gcloud
To list all firewall endpoints, use thegcloud network-securityfirewall-endpoints listcommand:
gcloud network-security firewall-endpoints list \ --organizationORGANIZATION_ID \ --zoneZONE \ --billing-projectBILLING_PROJECT_ID
Replace the following:
ORGANIZATION_ID: the organization where the endpointis activated.ZONE: the zone where the endpoint is activated. Tolist endpoints in all zones, use-.BILLING_PROJECT_ID: an optionalGoogle Cloud project ID that will be charged quota for the operation.
Edit a firewall endpoint
You can update the billing project of a firewall endpoint in an organization.
Permissions required for this task
To perform this task, you must have been granted the following permissionsor one of the following IAM roles on your organization.
Permissions
networksecurity.firewallEndpoints.get
Roles
- Compute Network Admin (
roles/compute.networkAdmin) - Compute Network User (
roles/compute.networkUser) - Compute Network Viewer (
roles/compute.networkViewer) - Firewall Endpoint Admin (
roles/networksecurity.firewallEndpointAdmin)
Console
In the Google Cloud console, go to theFirewall endpoints page.
In the project selector menu, select your organization.
TheFirewall endpoints page lists all the configured firewallendpoints in the organization.
Click the name of the firewall endpoint to view its details.
ClickEdit.
In theBilling project list, select the Google Cloud project that you want touse for billing the firewall endpoint.
ClickSave.
gcloud
To edit a firewall endpoint, use thegcloud network-securityfirewall-endpoints editcommand:
gcloud network-security firewall-endpoints \ updateNAME \ --organizationORGANIZATION_ID \ --zoneZONE \ --billing-projectBILLING_PROJECT_ID
Replace the following:
NAME: the name of the firewall endpoint.ORGANIZATION_ID: the organization where the endpointis activated.ZONE: the zone where the endpoint is activated.BILLING_PROJECT_ID: the Google Cloud project IDthat you want to associate with this firewall endpoint for billing.
For information about the packet sizes supported by firewall endpoints, seeSupported packet size.
Delete a firewall endpoint
You can delete a firewall endpoint by specifying its name,zone, and organization.
Note: You can delete a firewall endpoint only if it is not associated with anyVPC network.Permissions required for this task
To perform this task, you must have been granted the following permissionsor one of the following IAM roles on your organization.
Permissions
networksecurity.firewallEndpoints.delete
Roles
- Compute Network Admin (
roles/compute.networkAdmin) - Firewall Endpoint Admin (
roles/networksecurity.firewallEndpointAdmin)
Console
In the Google Cloud console, go to theFirewall endpoints page.
Select the firewall endpoint, and then clickDelete.
ClickDelete again to confirm.
gcloud
To delete a firewall endpoint, use thegcloud network-securityfirewall-endpoints deletecommand:
gcloud network-security firewall-endpoints deleteNAME --organizationORGANIZATION_ID \ --zoneZONE
Replace the following:
NAME: the name of the firewall endpoint.ORGANIZATION_ID: the organization where the endpointis activated.ZONE: the zone where the endpoint is activated.
What's next
- Create and manage firewall endpoint associations
- Use hierarchical firewall policies and rules
- Use global network firewall policies and rules
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.