Firewall policies

Firewall policies let you group several firewall rules so that you can updatethem all at once, effectively controlled by Identity and Access Management (IAM) roles.These policies contain rules that can explicitly deny or allow connections, asdoVirtual Private Cloud (VPC) firewall rules.

Hierarchical firewall policies

Hierarchical firewall policies let you group rules into a policy objectthat can apply to many VPC networks in one or more projects. Youcan associate hierarchical firewall policies with an entireorganizationor individualfolders.

For hierarchical firewall policy specifications and details, seeHierarchical firewall policies.

Global network firewall policies

Global network firewall policies let you group rules into a policy object thatcan apply to all regions of a VPC network.

For global network firewall policy specifications and details, seeGlobal network firewall policies.

Regional network firewall policies

Regional network firewall policies let you group rules into a policy objectthat can apply to a specific region of a VPC network.

For regional firewall policy specifications and details, seeRegional network firewall policies.

Regional system firewall policies

Regional system firewall policies are similar to regional network firewallpolicies, but they are managed by Google. Regional system firewall policieshave the following characteristics:

  • Google Cloud evaluates rules in regional system firewall policiesimmediately after evaluating rules in hierarchical firewall policies. Formore information, seeFirewall rule evaluation process.

  • You can't modify a rule in a regional system firewall policy, except toenable or disable firewall rule logging. Instead, Google services likeGoogle Kubernetes Engine (GKE) manage rules in regional system firewall policiesusing internal APIs.

  • Google Cloud creates a regional system firewall policy in a region ofa VPC network when a Google service requires rules in thatregion of the network. Google Cloud can associate more than oneregional system firewall policy with a region of a VPCnetwork based on the requirements of Google services.

  • You aren't charged for the evaluation of rules in regional system firewallpolicies.

Network profile interaction

Regular VPC networks support firewall rules in hierarchicalfirewall policies, global network firewall policies, regional network firewallpolicies, and VPC firewall rules. All firewall rules areprogrammed as part of theAndromeda network virtualizationstack.

VPC networks that use certainnetworkprofiles restrict the firewall policies and ruleattributes that you can use. For RoCE VPCnetworks, seeCloud NGFW for RoCE VPCnetworks instead of this page.

Network firewall policy enforcement order

Each regular VPC network has a network firewall policyenforcement order that determines the order in which Cloud NGFWevaluates firewall policy rules.

  • AFTER_CLASSIC_FIREWALL (default): Cloud NGFW evaluatesfirewall policies and rules in the following order:

    1. Hierarchical firewall policies
    2. Regional system firewall policies
    3. VPC firewall rules
    4. Global network firewall policies
    5. Regional network firewall policies
    6. Implied firewall rules

  • BEFORE_CLASSIC_FIREWALL: Cloud NGFW evaluatesfirewall policies and rules in the following order:

    1. Hierarchical firewall policies
    2. Regional system firewall policies
    3. Global network firewall policies
    4. Regional network firewall policies
    5. VPC firewall rules
    6. Implied firewall rules

To change the network firewall policy enforcement order, do any one of thefollowing:

  • Use thenetworks.patchmethod and set thenetworkFirewallPolicyEnforcementOrder attribute of the VPCnetwork.

  • Use thegcloud compute networks updatecommand with the--network-firewall-policy-enforcement-order flag.

    For example:

    gcloud compute networks updateVPC_NETWORK_NAME \    --network-firewall-policy-enforcement-order=ENFORCEMENT_ORDER

Firewall rule evaluation process

This section describes the order in which Cloud NGFW evaluatesrules that apply totargetresources in regularVPC networks.

Each firewall rule is either an ingress rule or an egress rule, based on thedirection of traffic:

  • Ingress rulesapply to packets for a new connection that a target resource receives.Supported target resources for ingress rules are as follows:

    • Network interfaces of virtual machine (VM) instances.

    • Managed Envoy proxies used by internal Application Load Balancers and internal proxy Network Load Balancers(Preview).

  • Egress rulesapply to packets for a new connection that a target VM network interfacesends.

Cloud NGFW always evaluates rules in hierarchical firewall policiesand regional system firewall policies before it evaluates any other firewallrules. You control the order in which Cloud NGFW evaluates otherfirewall rules by choosing anetwork firewall policy enforcement order. Thenetwork firewall policy enforcement order can be eitherAFTER_CLASSIC_FIREWALLorBEFORE_CLASSIC_FIREWALL.

AFTER_CLASSIC_FIREWALL network firewall policy enforcement order

When the network firewall policy enforcement order isAFTER_CLASSIC_FIREWALL,Cloud NGFW evaluates rules in global and regional network firewallpolicies after evaluating VPC firewall rules. This is the defaultevaluation order.

In a regular VPC network that uses theAFTER_CLASSIC_FIREWALL enforcement order, the complete firewall rule evaluation order isthe following:

  1. Hierarchical firewall policies.

    Cloud NGFW evaluates hierarchical firewall policies in thefollowing order:

    1. The hierarchical firewall policy associated with the organization thatcontains the target resource.
    2. Hierarchical firewall policies associated with folder ancestors, fromthe top-level folder down to the folder that contains the targetresource's project.

    When evaluating rules in each hierarchical firewall policy,Cloud NGFW performs the following steps:

    1. Disregard all rules whose targets don't match the target resource.
    2. Disregard all rules that don't match the packet's direction.
    3. Evaluate the remaining rules from the highest to the lowest priority.

      Evaluation stops when either one of the following conditions is met:

      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

    In a hierarchical firewall policy, at most, one rule can match traffic. The firewall rule'saction on match can be one of the following:

    • allow: the rule allows the traffic, and all rule evaluation stops.
    • deny: the rule denies the traffic, and all rule evaluation stops.
    • apply_security_profile_group: the rule forwards the traffic to a configuredfirewall endpoint, and all rule evaluation stops. The decision to allow or drop the packet depends on the configuredsecurity profile of the security profile group.
    • goto_next: the rule evaluation continues to one of the following:
      • A hierarchical firewall policy associated with a folder ancestor closer to the target resource, if it exists.
      • The next step in the evaluation order, if all hierarchical firewall policies have been evaluated.

    If no rule in a hierarchical firewall policy matches the traffic, Cloud NGFW uses an impliedgoto_next action. This action continues the evaluation to one of the following:

    • A hierarchical firewall policy associated with a folder ancestor closer to the target resource, if it exists.
    • The next step in the evaluation order, if all hierarchical firewall policies have been evaluated.

  2. Regional system firewall policies.

    When evaluating regional system firewall policy rules,Cloud NGFW performs the following steps:

    1. Disregard all rules whose targets don't match the target resource.
    2. Disregard all rules that don't match the packet's direction.
    3. Evaluate the remaining rules from the highest to the lowest priority.

      Evaluation stops when either one of the following conditions is met:

      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

    In a regional system firewall policy, at most, one rule can match traffic. The firewall rule'saction on match can be one of the following:

    • allow: the rule allows the traffic, and all rule evaluation stops.
    • deny: the rule denies the traffic, and all rule evaluation stops.
    • goto_next: the rule evaluation continues to
      • A regional system firewall policy with the next highest association priority, if it exists.
      • The next step in the evaluation order, if all regional system firewall policies have been evaluated.

    If no rule in a regional system firewall policy matches the traffic, Cloud NGFW uses an impliedgoto_next action. This action continues the evaluation to one of the following:

    • A regional system firewall policy with the next highest association priority, if it exists.
    • The next step in the evaluation order, if all regional system firewall policies have been evaluated.

  3. VPC firewall rules.

    When evaluating VPC firewall rules,Cloud NGFW performs the following steps:

    1. Disregard all rules whose targets don't match the target resource.
    2. Disregard all rules that don't match the packet's direction.
    3. Evaluate the remaining rules from the highest to the lowest priority.

      Evaluation stops when either one of the following conditions is met:

      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

    When one or two VPC firewall rules match traffic, the firewall rule'saction on match can be one of the following:

    • allow: the rule allows the traffic, and all rule evaluation stops.
    • deny: the rule denies the traffic, and all rule evaluation stops.

    If two rules match, they must have the same priority but different actions. In this case, Cloud NGFW enforces thedeny VPC firewall rule, and ignores theallow VPC firewall rule.

    If no VPC firewall rules match the traffic, Cloud NGFW uses an impliedgoto_next action to continue to the next step in the evaluation order.

  4. Global network firewall policy.

    When evaluating rules in a global network firewall policy,Cloud NGFW performs the following steps:

    1. Disregard all rules whose targets don't match the target resource.
    2. Disregard all rules that don't match the packet's direction.
    3. Evaluate the remaining rules from the highest to the lowest priority.

      Evaluation stops when either one of the following conditions is met:

      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

    In a global network firewall policy, at most, one rule can match traffic. The firewall rule'saction on match can be one of the following:

    • allow: the rule allows the traffic, and all rule evaluation stops.
    • deny: the rule denies the traffic, and all rule evaluation stops.
    • apply_security_profile_group: the rule forwards the traffic to a configuredfirewall endpoint, and all rule evaluation stops. The decision to allow or drop the packet depends on the configuredsecurity profile of the security profile group.
    • goto_next: the rule evaluation continues to the regional network firewall policy step in the evaluation order.

    If no rule in a global network firewall policy matches the traffic, Cloud NGFW uses an impliedgoto_next action. This action continues the evaluation to the regional network firewall policy step in the evaluation order.

  5. Regional network firewall policies.

    Cloud NGFW evaluates rules in regional network firewall policiesthat are associated with the region and VPC network of thetarget resource.

    When evaluating rules in a regional network firewall policy,Cloud NGFW performs the following steps:

    1. Disregard all rules whose targets don't match the target resource.
    2. Disregard all rules that don't match the packet's direction.
    3. Evaluate the remaining rules from the highest to the lowest priority.

      Evaluation stops when either one of the following conditions is met:

      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

    In a regional network firewall policy, at most, one rule can match traffic. The firewall rule'saction on match can be one of the following:

    • allow: the rule allows the traffic, and all rule evaluation stops.
    • deny: the rule denies the traffic, and all rule evaluation stops.
    • goto_next: the rule evaluation continues to the next step in the evaluation order.

    If no rule in a regional network firewall policy matches the traffic, Cloud NGFW uses an impliedgoto_next action. This action continues the evaluation to the next step in the evaluation order.

  6. Last step— implied action.

    Cloud NGFW applies an implied action if firewall rule evaluationhas continued through every previous step by following explicit or implicitgoto_next actions. The implied action depends on the direction of thetraffic:

    • For the ingress traffic, the implied action also depends on the targetresource:

      • If the target resource is a network interface of a VM instance, theimplied ingress action isdeny.

      • If the target resource is a forwarding rule of an internal Application Load Balancer orinternal proxy Network Load Balancer, the implied ingress isallow.

    • For the egress traffic, the implied action isallow.

AFTER_CLASSIC_FIREWALL diagram

The following diagram illustrates theAFTER_CLASSIC_FIREWALL network firewallpolicy enforcement order:

Firewall rule resolution flow.
Figure 1. Firewall rule resolution flow if the network firewall policy enforcement order isAFTER_CLASSIC_FIREWALL (click to enlarge).

BEFORE_CLASSIC_FIREWALL network firewall policy enforcement order

When the network firewall policy enforcement order isBEFORE_CLASSIC_FIREWALL,Cloud NGFW evaluates rules in global and regional network firewallpolicies before evaluating VPC firewall rules.

In a regular VPC network that uses theBEFORE_CLASSIC_FIREWALL enforcement order, the complete firewall rule evaluation order isthe following:

  1. Hierarchical firewall policies.

    Cloud NGFW evaluates hierarchical firewall policies in thefollowing order:

    1. The hierarchical firewall policy associated with the organization thatcontains the target resource.
    2. Hierarchical firewall policies associated with folder ancestors, fromthe top-level folder down to the folder that contains the targetresource's project.

    When evaluating rules in each hierarchical firewall policy,Cloud NGFW performs the following steps:

    1. Disregard all rules whose targets don't match the target resource.
    2. Disregard all rules that don't match the packet's direction.
    3. Evaluate the remaining rules from the highest to the lowest priority.

      Evaluation stops when either one of the following conditions is met:

      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

    In a hierarchical firewall policy, at most, one rule can match traffic. The firewall rule'saction on match can be one of the following:

    • allow: the rule allows the traffic, and all rule evaluation stops.
    • deny: the rule denies the traffic, and all rule evaluation stops.
    • apply_security_profile_group: the rule forwards the traffic to a configuredfirewall endpoint, and all rule evaluation stops. The decision to allow or drop the packet depends on the configuredsecurity profile of the security profile group.
    • goto_next: the rule evaluation continues to one of the following:
      • A hierarchical firewall policy associated with a folder ancestor closer to the target resource, if it exists.
      • The next step in the evaluation order, if all hierarchical firewall policies have been evaluated.

    If no rule in a hierarchical firewall policy matches the traffic, Cloud NGFW uses an impliedgoto_next action. This action continues the evaluation to one of the following:

    • A hierarchical firewall policy associated with a folder ancestor closer to the target resource, if it exists.
    • The next step in the evaluation order, if all hierarchical firewall policies have been evaluated.

  2. Regional system firewall policies.

    When evaluating regional system firewall policy rules,Cloud NGFW performs the following steps:

    1. Disregard all rules whose targets don't match the target resource.
    2. Disregard all rules that don't match the packet's direction.
    3. Evaluate the remaining rules from the highest to the lowest priority.

      Evaluation stops when either one of the following conditions is met:

      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

    In a regional system firewall policy, at most, one rule can match traffic. The firewall rule'saction on match can be one of the following:

    • allow: the rule allows the traffic, and all rule evaluation stops.
    • deny: the rule denies the traffic, and all rule evaluation stops.
    • goto_next: the rule evaluation continues to
      • A regional system firewall policy with the next highest association priority, if it exists.
      • The next step in the evaluation order, if all regional system firewall policies have been evaluated.

    If no rule in a regional system firewall policy matches the traffic, Cloud NGFW uses an impliedgoto_next action. This action continues the evaluation to one of the following:

    • A regional system firewall policy with the next highest association priority, if it exists.
    • The next step in the evaluation order, if all regional system firewall policies have been evaluated.

  3. Global network firewall policy.

    When evaluating rules in a global network firewall policy,Cloud NGFW performs the following steps:

    1. Disregard all rules whose targets don't match the target resource.
    2. Disregard all rules that don't match the packet's direction.
    3. Evaluate the remaining rules from the highest to the lowest priority.

      Evaluation stops when either one of the following conditions is met:

      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

    In a global network firewall policy, at most, one rule can match traffic. The firewall rule'saction on match can be one of the following:

    • allow: the rule allows the traffic, and all rule evaluation stops.
    • deny: the rule denies the traffic, and all rule evaluation stops.
    • apply_security_profile_group: the rule forwards the traffic to a configuredfirewall endpoint, and all rule evaluation stops. The decision to allow or drop the packet depends on the configuredsecurity profile of the security profile group.
    • goto_next: the rule evaluation continues to the regional network firewall policy step in the evaluation order.

    If no rule in a global network firewall policy matches the traffic, Cloud NGFW uses an impliedgoto_next action. This action continues the evaluation to the regional network firewall policy step in the evaluation order.

  4. Regional network firewall policies.

    Cloud NGFW evaluates rules in regional network firewall policiesthat are associated with the region and VPC network of thetarget resource.

    When evaluating rules in a regional network firewall policy,Cloud NGFW performs the following steps:

    1. Disregard all rules whose targets don't match the target resource.
    2. Disregard all rules that don't match the packet's direction.
    3. Evaluate the remaining rules from the highest to the lowest priority.

      Evaluation stops when either one of the following conditions is met:

      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

    In a regional network firewall policy, at most, one rule can match traffic. The firewall rule'saction on match can be one of the following:

    • allow: the rule allows the traffic, and all rule evaluation stops.
    • deny: the rule denies the traffic, and all rule evaluation stops.
    • goto_next: the rule evaluation continues to the next step in the evaluation order.

    If no rule in a regional network firewall policy matches the traffic, Cloud NGFW uses an impliedgoto_next action. This action continues the evaluation to the next step in the evaluation order.

  5. VPC firewall rules.

    When evaluating VPC firewall rules,Cloud NGFW performs the following steps:

    1. Disregard all rules whose targets don't match the target resource.
    2. Disregard all rules that don't match the packet's direction.
    3. Evaluate the remaining rules from the highest to the lowest priority.

      Evaluation stops when either one of the following conditions is met:

      • A rule that applies to the target resource matches the traffic.
      • No rules that apply to the target resource match the traffic.

    When one or two VPC firewall rules match traffic, the firewall rule'saction on match can be one of the following:

    • allow: the rule allows the traffic, and all rule evaluation stops.
    • deny: the rule denies the traffic, and all rule evaluation stops.

    If two rules match, they must have the same priority but different actions. In this case, Cloud NGFW enforces thedeny VPC firewall rule, and ignores theallow VPC firewall rule.

    If no VPC firewall rules match the traffic, Cloud NGFW uses an impliedgoto_next action to continue to the next step in the evaluation order.

  6. Last step— implied action.

    Cloud NGFW applies an implied action if firewall rule evaluationhas continued through every previous step by following explicit or implicitgoto_next actions. The implied action depends on the direction of thetraffic:

    • For the ingress traffic, the implied action also depends on the targetresource:

      • If the target resource is a network interface of a VM instance, theimplied ingress action isdeny.

      • If the target resource is a forwarding rule of an internal Application Load Balancer orinternal proxy Network Load Balancer, the implied ingress isallow.

    • For the egress traffic, the implied action isallow.

BEFORE_CLASSIC_FIREWALL diagram

The following diagram illustrates theBEFORE_CLASSIC_FIREWALL network firewallpolicy enforcement order:

Firewall rule resolution flow.
Figure 2. Firewall rule resolution flow if the network firewall policy enforcement order isBEFORE_CLASSIC_FIREWALL (click to enlarge).

Effective firewall rules

Hierarchical firewall policy rules, VPC firewall rules, andglobal and regional network firewall policy rules control connections. You mightfind it helpful to see all the firewall rules that affect an individual networkor VM interface.

Network effective firewall rules

You canview all firewall rules applied to a VPCnetwork.The list includes all of the following kinds of rules:

  • Rules inherited from hierarchical firewall policies
  • VPC firewall rules
  • Rules applied from the global and regional network firewall policies

Instance effective firewall rules

You canview all firewall rules applied to a VM's networkinterface.The list includes all of the following kinds of rules:

  • Rules inherited from hierarchical firewall policies
  • Rules applied from the interface's VPC firewall
  • Rules applied from the global and regional network firewall policies

The rules are ordered from the organization level down to the VPCnetwork. Only rules that apply to the VM interface are shown. Rules in otherpolicies aren't shown.

To view the effective firewall policy rules within a region, seeGet effective regional firewall policies for anetwork.

Predefined rules

When you create a hierarchical firewall policy, a global network firewall policy,or a regional network firewall policy, Cloud NGFW adds predefined rulesto the policy. The predefined rules that Cloud NGFW adds tothe policy depend on how you create the policy.

If you create a firewall policy using the Google Cloud console,Cloud NGFW adds the following rules to the new policy:

  1. Goto-next rules for private IPv4 ranges
  2. Predefined Google Threat Intelligence deny rules
  3. Predefined geolocation deny rules
  4. Lowest possible priority goto-next rules

If you create a firewall policy using the Google Cloud CLI or the API, Cloud NGFWadds only thelowest possible priority goto-next rulesto the policy.

Note: These predefined rules in firewall policies are different from theimplied and prepopulated VPC firewall rules.

All predefined rules in a new firewall policy purposefullyuse low priorities (large priority numbers) so you can overridethem bycreating ruleswith higher priorities. Except for thelowest possible priority goto-next rules,you can alsocustomizethe predefined rules.

Goto-next rules for private IPv4 ranges

  • An egress rule with destination IPv4 ranges10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16,priority1000, andgoto_next action.

  • An ingress rule with source IPv4 ranges10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16,priority1001, andgoto_next action.

Predefined Google Threat Intelligence deny rules

  • An ingress rule with source Google Threat Intelligence listiplist-tor-exit-nodes,priority1002, anddeny action.

  • An ingress rule with source Google Threat Intelligence listiplist-known-malicious-ips,priority1003, anddeny action.

  • An egress rule with destination Google Threat Intelligence listiplist-known-malicious-ips,priority1004, anddeny action.

To learn more about Google Threat Intelligence, seeGoogle Threat Intelligence for firewall policy rules.

Predefined geolocation deny rules

  • An ingress rule with source matching geolocationsCU,IR,KP,SY,XC,andXD, priority1005, anddeny action.

To learn more about geolocations, seeGeolocation objects.

Lowest possible priority goto-next rules

You cannot modify or delete the following rules:

  • An egress rule with destination IPv6 range::/0, priority2147483644, andgoto_nextaction.

  • An ingress rule with source IPv6 range::/0, priority2147483645, andgoto_nextaction.

  • An egress rule with destination IPv4 range0.0.0.0/0, priority2147483646, andgoto_nextaction.

  • An ingress rule with source IPv4 range0.0.0.0/0, priority2147483647, andgoto_nextaction.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.