Hierarchical firewall policies

Hierarchical firewall policies let you create and enforce a consistentfirewall policy across your organization. You can assign hierarchical firewallpolicies to the organization as a whole or to individual folders. These policiescontain rules that can explicitly deny or allow connections, as doVirtual Private Cloud (VPC) firewall rules.In addition, hierarchical firewall policy rules can delegate evaluation tolower-level policies or VPC network firewall rules with agoto_next action.

Lower-level rules cannot override a rule from a higher place in theresource hierarchy. This lets organization-wide admins managecritical firewall rules in one place.

Specifications

  • Hierarchical firewall policies are created at the organization andfolder level. Creating a policy does not automatically apply the rules totheorganizationorfolder.
  • Policies, once created, can be applied to (associated with) any resourcesin the organization.
  • Hierarchical firewall policies are containers for firewall rules. When youassociate a policy with the organization or a folder, all rules areimmediately applied. You can swap policies for a resource, which atomicallyswaps all the firewall rules applied to virtual machine (VM) instances underthat resource.
  • Rule evaluation is hierarchical based on resource hierarchy. Allrules associated with the organization are evaluated, followed by thoseof the first level of folders.
  • Hierarchical firewall policy rules have a newgoto_next action that youcan use to delegate connection evaluation to lower levels of the hierarchy.

  • Hierarchical firewall policy rules can be used to configure Layer 7inspection of the matched traffic, such as theURL filtering service and theintrusion detection and prevention service.

    You create a firewall policy rule by using theapply_security_profile_groupaction and name of thesecurity profile group.The traffic matching the firewall policy rule is intercepted and transparentlyforwarded to the firewall endpoint for Layer 7 inspection, and back. To learnhow to create a firewall policy rule,seeCreate a rule.

  • Hierarchical firewall policy rules can be targeted to specificVPC networks and VMs by using target resources for networksand target service accounts for VMs. This lets you create exceptions forgroups of VMs. Hierarchical firewall policy rules don't support targetingby instance tags.
  • Hierarchical firewall policies don't support VPC networksthat use a Remote Direct Memory Access (RDMA) network profile, such astheRDMA_ROCE_POLICY policy type. For more information, seeCloud NGFW for RoCE VPC networks.
  • A hierarchical firewall policy rule can include either IPv4 or IPv6 ranges,but not both.
  • To help with compliance and debugging, firewall rules applied to a VMinstance can be audited by using the VPC network detailspage and the VM instance's network interface details page.

Resource hierarchy

You create and apply firewall policies as separate steps. You can create andapply firewall policies at the organization or folder level of theresource hierarchy.A firewall policy rule can block connections, allow connections, or deferfirewall rule evaluation to lower-level folders or VPCfirewall rules defined in VPC networks.

  • Organization is the top-level resource in the resource hierarchy in Google Cloud whereyou can create or associate hierarchical firewall policies. All folders andVPC networks in the organization inherit this policy.

  • Folders are mid-level resources in the Google Cloud resource hierarchy, betweenthe organization and projects, where you can create or assign hierarchicalfirewall policies. All folders and VPC networks in afolder inherit its associated policy.

  • A project lives under a folder or the organization. You can move projectsbetween resources in an organization. Projects contain VPCnetworks. Hierarchical firewall policies cannot be assigned to projects,only to the organization or folders.

  • A VPC network is the Google Cloud partition for isolatedinternal IP space communication. This is the level at which routes, networkfirewall policies, and traditional VPC firewall rules arespecified and applied. Hierarchical firewall policy rules can override ordelegate connection evaluation toglobal network firewall policies and rules.

By default, all hierarchical firewall policy rules apply to all VMs inall projects under the organization or folder where the policy isassociated. However, you can restrict which VMs get a given rule byspecifyingtarget networks or target service accounts.

The levels of the hierarchy at which firewall rules can now be applied arerepresented in the following diagram. The yellow boxes represent hierarchicalfirewall policies that contain firewall rules, while the white boxes represent VPC firewall rules.

Hierarchical firewall policies containing rules (yellow boxes) at the organization and folder levels and VPC firewall rules at the VPC network level
Hierarchical firewall policies containing rules (yellow boxes) are applied at the organization and folder levels. VPC firewall rules are applied at the VPC network level.
Note: Hierarchical firewall policies are eventually consistent. If you moveprojects or folders, it might take a few minutes for hierarchical firewallpolicies to be applied.

Hierarchical firewall policy details

Hierarchical firewall policy rules are defined in a firewall policy resourcethat acts as a container for firewall rules. The rules defined in a firewallpolicy are not enforced until the policy is associated with a resource(an organization or a folder).

A single policy can be associated with multiple resources. If you modify a rulein a policy, that rule change applies to all associated resources.

Only one firewall policy can be associated with a resource. Hierarchical firewallpolicy rules and VPC firewall rules areevaluated in a well-defined order.

A firewall policy that is not associated with any resource is anunassociatedhierarchical firewall policy.

Policy names

When you create a new policy, Google Cloud automatically generates an IDfor the policy. In addition, you also specify ashort name for the policy.When using thegcloud interface to update an existing policy, you can referenceeither the system-generated ID or a combination of the short name and yourorganization ID. When using the API to update the policy, you must provide thesystem-generated ID.

Hierarchical firewall policy rule details

Hierarchical firewall policy rules work the same asfirewall policy rules andVPC firewall rules, but there are afew differences:

  • Hierarchical firewall policies support target networks, while global networkfirewall policies don't. You can specify target networks to restrict afirewall policy rule to VMs in the specified networks. SpecifyingVPC networks in the rule gives you control over whichnetworks are configured with that rule.

    Combined withgoto_next orallow, specifying target networks lets youcreate exceptions for specific networks when you want to define an otherwiserestrictive policy.

  • Hierarchical firewall policies are organization-level resources, whileglobal network firewall policies are project-level resources.

  • Rules in hierarchical firewall policies support secure tag keys assource secure tags or target secure tags. For more information, seeSecure tags for firewalls.

Predefined rules

When you create a hierarchical firewall policy, Cloud Next Generation Firewall addspredefined rules with the lowest priority to the policy. These rules are appliedto any connections that don't match an explicitly defined rule in the policy,causing such connections to be passed down to lower-level policies or network rules.

To learn about the various types of predefinedrules and their characteristics, seePredefined rules.

Identity and Access Management (IAM) roles

Note: The preview releases of hierarchical firewall policies used thecompute.orgSecurityPolicyAdmin andcompute.orgSecurityPolicyUser IAM roles. These roles combinedpermissions for hierarchical firewall policies and Google Cloud Armor. To separatethese permissions, we are migrating to thecompute.orgFirewallPolicyAdminandcompute.orgFirewallPolicyUser rolesfor hierarchical firewall policies. The prior roles continue to work, but werecommend migrating to the new roles as soon as feasible.

IAM roles govern the following actions with regard tohierarchical firewall policies:

  • Creating a policy that lives at a particular resource
  • Associating a policy with a particular resource
  • Modifying an existing policy
  • Viewing the effective firewall rules for a particular network or VM

The following table describes which roles are necessary for each step:

AbilityNecessary role
Create a new hierarchical firewall policyOrganization Firewall Policy Admin role (roles/compute.orgFirewallPolicyAdmin) on the resource where the policy will live
Associate a policy with a resourceOrganization Security Resource Admin role (roles/compute.orgSecurityResourceAdmin) on the target resource, and eitherOrganization Firewall Policy Admin role (roles/compute.orgFirewallPolicyAdmin) orOrganization Firewall Policy User role (roles/compute.orgFirewallPolicyUser) on the resource where the policy lives or on the policy itself
Modify the policy by adding, updating, or deleting policy firewall rulesOrganization Firewall Policy Admin role (roles/compute.orgFirewallPolicyAdmin) either on the resource where the policy lives or on the policy itself
Delete the policyOrganization Firewall Policy Admin role (roles/compute.orgFirewallPolicyAdmin) either on the resource where the policy lives or on the policy itself
View effective firewall rules for a VPC networkAny of the following roles for the network:
Compute Network Admin role (roles/compute.networkAdmin)
Compute Network User role (roles/compute.networkUser)
Compute Network Viewer role (roles/compute.networkViewer)
Compute Security Admin role (roles/compute.securityAdmin)
Compute Viewer role (roles/compute.viewer)
View effective firewall rules for a VM in a networkAny of the following roles for the VM:
Compute Instance Admin role (roles/compute.instanceAdmin)
Instance Group Manager Service Agent role (roles/compute.instanceGroupManagerServiceAgent)
Compute Security Admin role (roles/compute.securityAdmin)
Compute Viewer role (roles/compute.viewer)

The following roles are relevant to hierarchical firewall policies.

Role nameDescription
Organization Firewall Policy Admin role (roles/compute.orgFirewallPolicyAdmin)Can be granted on a resource or on an individual policy. If granted at a resource, allows users to create, update, and delete hierarchical firewall policies and their rules. If granted on an individual policy, allows the user to update the policy rules, but not create or delete the policy. This role also allows the user to associate a policy with a resource if they also have thecompute.orgSecurityResourceAdmin role on that resource.
Organization Security Resource Admin role (roles/compute.orgSecurityResourceAdmin)Granted at the organization level or to a folder, allows folder-level administrators to associate a policy with that resource. Administrators must also have thecompute.orgFirewallPolicyUser orcompute.orgFirewallPolicyAdmin role on the resource that owns the policy or on the policy itself in order to make use of it.
Organization Firewall Policy User role (roles/compute.orgFirewallPolicyUser)Granted on a resource or on an individual policy, allows administrators to make use of the individual policy or policies associated with the resource. Users must also have thecompute.orgSecurityResourceAdmin role on the target resource to associate a policy with that resource.
Compute Security Admin role (roles/compute.securityAdmin)

Compute Viewer role (roles/compute.viewer)

Compute Network User role (roles/compute.networkUser)

Compute Network Viewer role (roles/compute.networkViewer)
Allows users to view the firewall rules applied to the network or instance.
Includes thecompute.networks.getEffectiveFirewalls permission for networks and thecompute.instances.getEffectiveFirewalls for instances.

In the following example, Joe can create, modify, and delete any hierarchicalfirewall policy in thepolicies folder, but he cannot attach the hierarchicalfirewall policy to a folder because he does not have theorgSecurityResourceAdmin role on any folder.

However, because Joe granted Mary permissions to usepolicy-1, she can list andassociate that hierarchical firewall policy with thedev-projects folder orany of its descendants. TheorgFirewallPolicyUser role does not grantpermission to associate the policies to any folders; the user must also have theorgSecurityResourceAdmin role on the target folder.

policy-1 example
policy-1 example

Manage hierarchical firewall policy resources

Because a hierarchical firewall policy only defines a set of firewall rules andnot where they are applied, you can create these resources in a different partof the hierarchy from the resources that they apply to. This lets you associatea single hierarchical firewall policy resource with multiple folders in theorganization.

In the following example,policy-1 is applied to thedev-projects andcorp-projects folders and so is enforced on all projects in those folders.

Policy location and association
Policy location and association

Modify a policy's rules

You can add, remove, and modify rules in a policy. Each change is doneindividually; there is no mechanism for batch updating rules in a policy.Changes are applied in roughly the order that the commands are executed, althoughthis is not guaranteed.

If you are making extensive changes to a hierarchical firewall policy and needto ensure that they're applied at the same time, you can clone the policy to atemporary policy and assign the temporary policy to the same resources. You can thenmake your changes to the original, and then assign the original back to theresources. For the steps to do this, seeCloning rules from one policy toanother.

In the following example,policy-1 is attached to thedev-projects folder,and you would like to make several changes that apply atomically. Create a newpolicy namedscratch-policy, and then copy all of the existing rules frompolicy-1 toscratch-policy for editing. After you finish editing,copy all the rules fromscratch-policy back topolicy-1.

Modify a policy
Modify a policy

Move a policy

Hierarchical firewall policies, like projects, are parented by a folder ororganization resource. As your folder scheme evolves, you might need tomove a hierarchical firewall policy to a new folder, perhaps before a folderdeletion. Policies owned by a folder are deleted if the folder is deleted.

The following diagram illustratesmoving a policy betweenresources associations or theevaluation of rules in the policy.

Move a policy
Move a policy

Associate a hierarchical firewall policy with a folder

A hierarchical firewall policy is not enforced unless it is associated with anorganization or a folder. After it is associated, it is applied to all VMs inall networks under that organization or folder.

Associate a policy
Associate a policy

Changes to the resource hierarchy

Changes to the resource hierarchy might take some time to propagate through thesystem. We recommend that you avoid simultaneous updates to the hierarchicalfirewall policy attachments and the resource hierarchy because networks might notimmediately inherit the hierarchical firewall policy defined in the newlocation in the hierarchy.

Moving a policy
Moving a policy

For example, if you are moving thedept-A folder from thedev-projectsfolder to theeng-projects folder and changing the association ofpolicy-1toeng-projects instead ofdev-projects, be sure to not disassociatepolicy-1 fromdev-projects at the same time. If thedev-projects folderloses its hierarchical firewall policy association before all VPCnetworks under it have had their ancestry updated, for a short period of timethose VPC networks are not protected bypolicy-1.

Use hierarchical firewall policies with Shared VPC

InShared VPC scenarios, a VM interfaceconnected to a host project network is governed by the hierarchical firewallpolicy rules of the host project, not the service project.

VM in Shared VPC
VM in Shared VPC

Even if the service projects are under a different folder than the host project,the VM interfaces in the shared network still inherit from the host projectfolder rules.

Service project VMs inherit rules from host project
Service project VMs inherit rules from host project

Use hierarchical firewall policies with VPC Network Peering

InVPC Network Peering scenarios, the VM interface associated to each of theVPC networks inherits the policies in the hierarchy in therespective VPC networks. The following is aVPC Network Peering example where the VPC peered networksbelong to different organizations.

VMs inherit from respective networks
VMs inherit from respective networks

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.