Migrate VPC firewall rules that don't use network tags and service accounts

If your Virtual Private Cloud (VPC) firewall rules don't use any network tags orservice accounts, perform the following tasks to migrate the VPCfirewall rules to a global network firewall policy:

  1. Assess your environment.
  2. Migrate the VPC firewall rules.
  3. Review the new global network firewall policy.
  4. Complete the postmigration tasks.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.
    Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Enable the Compute Engine API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

    Enable the API

  5. Install the Google Cloud CLI.

    Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.

  6. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  7. Toinitialize the gcloud CLI, run the following command:

    gcloudinit

  8. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.
    Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

    Go to project selector

  9. Verify that billing is enabled for your Google Cloud project.

  10. Enable the Compute Engine API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

    Enable the API

  11. Install the Google Cloud CLI.

    Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.

  12. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

  13. Toinitialize the gcloud CLI, run the following command:

    gcloudinit
  14. Make sure that you have theCompute Security Admin role (roles/compute.securityAdmin).

Assess your environment

  1. Identify the number of existing VPC firewall rules in your network.
  2. Make a note of the priorities associated with each VPC firewallrule.
  3. Make sure that you have the required Identity and Access Management (IAM) roles and permissions tocreate, associate, modify, and view global network firewall policies.

Migrate the VPC firewall rules

After assessing your environment, migrate your VPC firewallrules to a global network firewall policy by using thecompute firewall-rules migrate command.

gcloud beta compute firewall-rules migrate \    --source-network=NETWORK_NAME \    --target-firewall-policy=POLICY_NAME

Replace the following:

  • NETWORK_NAME: the name of your VPC network containing theVPC firewall rules that you want to migrate.
  • POLICY_NAME: the name of the global network firewall policy tocreate during migration.

Exclude firewall rules from migration

To exclude specific firewall rules from migration, use thegcloud beta computefirewall-rules migrate command with the--exclusion-patterns-file flag:

gcloud beta compute firewall-rules migrate \    --source-network=NETWORK_NAME \    --target-firewall-policy=POLICY_NAME \    --exclusion-patterns-file=EXCLUSION_PATTERNS_FILE

Replace the following:

  • NETWORK_NAME: the name of your VPC networkthat contains the VPC firewall rules that you want tomigrate.
  • POLICY_NAME: the name of the global network firewallpolicy to create during migration.

  • EXCLUSION_PATTERNS_FILE: the name of the file thatcontains regular expressions that define VPC firewall namingpatterns to exclude from migration. Make sure to specify the full path ofthe file. Firewall rules that match the specified patterns are skipped.

    When defining the exclusion patterns, consider the following:

    • Each regular expression must be on its own line and represent a singlefirewall naming pattern.
    • The regular expressions don't contain any leading or trailingwhitespaces.

View excluded firewall rules

Based on the excluded firewall rule naming patterns, the migration tool doesn'tmigrate some firewall rules, such as Google Kubernetes Engine (GKE)firewall rules. To export the list of excluded firewall rule naming patterns,use thegcloud beta compute firewall-rules migrate command with the--export-exclusion-patterns and the--exclusion-patterns-file flags.

gcloud beta compute firewall-rules migrate \    --source-network=NETWORK_NAME \    --target-firewall-policy=POLICY_NAME \    --exclusion-patterns-file=EXCLUSION_PATTERNS_FILE \    --export-exclusion-patterns

Replace the following:

  • NETWORK_NAME: the name of your VPC networkthat contains the VPC firewall rules that you want tomigrate.
  • POLICY_NAME: the name of the global network firewallpolicy to create during migration.

  • EXCLUSION_PATTERNS_FILE: the path of the file where thefollowing excluded firewall rule naming patterns areexported.

    gke-(.+)-ipv6-allgke-(.+)-(.+)-((master)|(vms)|(all)|(inkubelet)|(exkubelet)|(mcsd))k8s-fw-(l7-)?(.+)k8s-(.+)-((node)|(http)|(node-http))-hc(.+)-hck8s2-(.+)-(.+)-(.+)-(.+)(-fw)?k8s2-(.+)-l4-shared-hc-fwgke((gw)|(mcg))1-l7-(.+)-(.+)

To migrate excluded firewall rules that match a specific pattern,remove the pattern from the exported list and run thegcloud beta computefirewall-rules migrate command with the--exclusion-patterns-file flag.

Force migration while preserving evaluation order

During migration, if an excluded firewall rule's evaluation order falls betweenthe evaluation orders of user-specified firewall rules, the migration fails.Thishappens because the excluded firewall rules are not migrated, and the migrationtool cannot preserve the original evaluation order of user-defined rules in thenew network firewall policy.

For example, if your firewall rules have the following priorities, the migrationfails.

  • A user-specified rule with priority 100
  • An excluded rule with priority 200
  • A user-specified rule with priority 300

To force the migration tool migrate the user-specified ruleswhile preserving their original evaluation order and ignoringexcluded firewall rules, use thegcloud beta compute firewall-rules migrate command with the--force flag.

gcloud beta compute firewall-rules migrate \    --source-network=NETWORK_NAME \    --target-firewall-policy=POLICY_NAME \    --force

Replace the following:

  • NETWORK_NAME: the name of your VPC networkthat contains the VPC firewall rules that you want tomigrate.
  • POLICY_NAME: the name of the global network firewallpolicy to create during migration.

Review the new global network firewall policy

Before you attach the new global network firewall policy to a VPCnetwork, Google recommends that you review the policy to help ensure that themigration process has completed accurately.

Verify the firewall policy rules configuration, and check if the following rulecomponents are properly migrated for each rule:

  • Relative priority
  • Direction of traffic
  • Action on match
  • Log settings
  • Target parameters
  • Source parameters (for ingress rules)
  • Destination parameters (for egress rules)
  • Protocol and port constraints

For more information about the components of a firewall policy rule, seeFirewall policy rules.

Note: The migration command does not apply to VPC firewall rules that areautomatically created by Google Kubernetes Engine (GKE).

Postmigration tasks

To activate and use your global network firewall policy,you must complete the postmigration tasks covered in the following sections.

Associate the global network firewall policy with your network

The migration tool creates the global network firewall policy based on theexisting VPC firewall rules. You must manually associate thepolicy with the required VPC network to activate the policy rulesfor any VMs within that network. To associate the global network firewall policy,use thecompute network-firewall-policies associations create command.

gcloud compute network-firewall-policies associations create \    --firewall-policy=POLICY_NAME \    --network=NETWORK_NAME \    --global-firewall-policy    --replace-association-on-target

Replace the following:

  • POLICY_NAME: the name of the global network policy that you want toassociate with your VPC network.
  • NETWORK_NAME: the name of your VPC network.
Note: The--replace-association-on-target flag specifies that any existing associationis deleted when you create the new association.

For more information about associating a global network firewall policy to aVPC network, seeAssociate a policy with the network.

Change the policy and rule evaluation order

By default, Cloud Next Generation Firewall evaluates the VPCfirewall rules before it evaluates a global network firewall policy. To make surethat global network firewall policies take precedence over VPCfirewall rules, use thecompute networks update commandto change the rule evaluation order.

gcloud compute networks updateNETWORK-NAME \    --network-firewall-policy-enforcement-order=BEFORE_CLASSIC_FIREWALL

ReplaceNETWORK_NAME with the name of your VPC network.

To verify whether the global network firewall policy is evaluated before the VPCfirewall rules, use thecompute networks get-effective-firewalls command.

gcloud compute networks get-effective-firewallsNETWORK_NAME

In the output of the preceding command, ifTYPE: network-firewall-policy isdisplayed beforeTYPE: network-firewall, then the global network firewall policyis evaluated first.

For more information about the changing policy and rule evaluation order, seeChange policy and rule evaluation order.

Enable logging of firewall rules

Logging helps you to determine whether a firewall rule is functioning as intended.The migration tool retains the logging status of the existing VPCfirewall rules when it creates the new global network firewall policy. Make surethat logging is enabled for the rules inside the global network firewall policy.To enable logging for firewall policy rules, use thecompute network-firewall-policies rules update command.

gcloud compute network-firewall-policies rules updatePRIORITY \    --firewall-policy=POLICY_NAME \    --enable-logging    --global-firewall-policy

Replace the following:

  • PRIORITY: the priority of the rule to be updated.
  • POLICY_NAME: the name of the global network firewall policy whoserule you want to update.

Test your global network firewall policy

Before deleting your VPC firewall rules, test your global networkfirewall policy to check whether the policy rules are working according to yourexpectations for any traffic that matches the rules.

Do the following:

  1. Ensure that you have enabled logging on VPC firewall rulesand the global network firewall policy.
  2. Change the rule evaluation order, so that the global network firewall policyis evaluated before your VPC firewall rules.
  3. Monitor the logsto verify that the global network firewall policy has hit counts and theVPC firewall rules are shadowed.

Delete the VPC firewall rules from your network

Google recommends that you disable the VPC firewallrules first before entirely deleting them. You can revert to those rules if theglobal network firewall policy created by the migration tool fails to provide theexpected results.

To disable a VPC firewall rule, use thecompute firewall-rules update command.

gcloud compute firewall-rules updateRULE_NAME --disabled

ReplaceRULE_NAME with the name of the VPC firewall ruleto be disabled.

To delete a VPC firewall rule, use thecompute firewall-rules delete command.

gcloud compute firewall-rules deleteRULE_NAME

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-18 UTC.