Cloud Firewall
Cloud Firewall on Google Cloud is not one product but a family of layers stacked on top of each other. The foundation is the stateful VPC firewall rules covered on the previous page. On top sit Network Firewall Policies, Hierarchical Firewall Policies for org-wide guardrails, and at the top tier Cloud Next-Generation Firewall (NGFW) — a managed firewall service with L7 inspection, intrusion prevention, and TLS decryption.
For most production workloads, basic VPC rules are not enough. The hierarchy separates a default-allow free-for-all from an enterprise security posture, and the right NGFW tier catches threats that traditional L3/L4 rules cannot see.
VPC Rules vs Network Firewall Policies
Network Firewall Policies are the modern replacement for legacy VPC firewall rules. They support the same allow/deny actions and the same matching criteria — priorities and target service accounts exist in both models — with several capabilities VPC rules lack: rules grouped into a single policy object you can attach, reuse, and audit as a unit; IAM-governed secure tags instead of freeform network tags; both global and regional scope for blast-radius control; and the goto_next action that is the building block of layered policies.
VPC firewall rules are the legacy model: individually named rules attached directly to a VPC, matched by source CIDR, network tags, or service accounts, with no policy-level grouping. Still supported, still works. Use them only when you are maintaining an existing footprint and the operational lift of migration is not worth it.
Network firewall policies are the recommended model for new projects: rules grouped into attachable policies, secure tags, global or regional scope, and goto_next for layering. Equal cost, more features, easier to audit. Default to these for anything new.
Hierarchical Firewall Policies
Hierarchical Firewall Policies apply at the organization or folder level and evaluate before any VPC-level or network policy. They are the right place for security guardrails that must be true everywhere: "no SSH from public internet," "no outbound traffic to high-risk geographies," "deny inter-project traffic by default." Owners of individual projects cannot weaken these guardrails — they can only add more permissive rules below them, which the hierarchy already rejected. Use hierarchical policies as the org-wide security baseline; reserve network policies and VPC rules for application-specific allow lists.
Rule Evaluation Order
Traffic evaluation walks down the hierarchy in this order: hierarchical policies at the organization level, then folder level; then — in the default configuration — VPC firewall rules; then network firewall policies at the global scope, then regional scope. (A per-network setting can move network policies ahead of VPC rules; check which order your VPC uses before debugging.) At each layer, the highest-priority matching rule wins. A goto_next action explicitly defers to the next layer.
The most common "I allowed it but the connection is still blocked" debugging session is caused by an earlier-evaluated rule — usually a forgotten hierarchical deny — terminating evaluation before the application-level allow rule fires. Check the top of the hierarchy first.
Cloud NGFW Tiers
Cloud Next-Generation Firewall has three tiers stacked on the same policy infrastructure. Essentials is included by default — stateful L3/L4 inspection, the rules engine described above. Standard adds threat intelligence feeds (malicious IP lists, Tor exit nodes, geolocation filters) and FQDN-based filtering, billed by the volume of traffic evaluated (per GiB). Enterprise adds L7 inspection, intrusion prevention (IPS) with managed signature databases, and TLS inspection. Enterprise is the most expensive tier; reserve it for workloads where compliance or threat profile genuinely requires the visibility.
Threat Intelligence and IDS
Threat intelligence in Standard and Enterprise tiers uses managed feeds that Google updates automatically: known-malicious IP addresses, Tor exit nodes, anonymizing proxies, and country-level geo blocks. Apply them as a coarse first-line filter — they catch obvious bad actors before any other rule runs. Watch the false-positive rate, especially on geo blocks: VPN concentrators and CDN edges sometimes land in unexpected regions and break legitimate traffic.
TLS Inspection
TLS Inspection (Enterprise tier only) decrypts HTTPS traffic at the firewall, applies L7 rules, then re-encrypts before forwarding. You upload a CA certificate pool that clients trust; the firewall mints leaf certificates on the fly. This gives genuine visibility into encrypted traffic — and creates real obligations: certificate lifecycle management, compliance and legal review of decrypting end-user traffic, and operational overhead when applications pin certificates. Enable it deliberately, not by default.
Firewall Insights and Logs
Firewall Insights analyzes rule usage and surfaces problems: shadowed rules (higher-priority rules cover them, so they never fire), overly permissive rules, and rules with zero hits over a long window. Review the recommendations quarterly. Firewall logs (off by default) record allow and deny decisions; enable them on rules near public boundaries and leave them off on high-volume internal allow rules where the log noise overwhelms the signal.
- Continuing to create only VPC firewall rules for new projects — network firewall policies have more capabilities at the same cost.
- Putting baseline security in every VPC instead of one hierarchical policy — owners drift from the baseline, and there is no single source to audit.
- Debugging "why is this blocked" without checking the hierarchical layer first — it evaluates before VPC rules ever see the traffic.
- Choosing NGFW Enterprise without a concrete compliance or threat-profile need — paying for L7, IPS, and TLS inspection you do not use.
- Enabling TLS inspection without planning the CA cert deployment to clients and the compliance review of decrypting end-user traffic.
- Matching east-west rules on network tags instead of target service accounts — tags survive redeploys poorly.
- Ignoring Firewall Insights — shadowed and zero-hit rules accumulate, making future audits much harder than they need to be.
- Use Network Firewall Policies for all new projects. Treat VPC rules as legacy and migrate when you next touch the workload.
- Hierarchical policies at the org level for security guardrails — no SSH or RDP from the internet, geo blocks for high-risk regions, deny-all inter-project traffic by default.
- Start every workload at NGFW Essentials. Upgrade to Standard when threat intelligence value is concrete. Upgrade to Enterprise only with a regulatory or audit-driven requirement.
- Match east-west firewall rules on target service accounts, not network tags. Service accounts are tied to instances at deploy time and survive redeploys reliably.
- Review Firewall Insights at least quarterly. Delete shadowed rules and zero-hit rules.
- Enable firewall logs on rules around public boundaries. Leave them off on high-volume internal allow rules where the noise overwhelms the signal.
- Document rule intent in the rule name and description. Six months later, audit becomes drastically easier.
Knowledge Check
Which firewall layer evaluates first when traffic enters a VPC?
- VPC firewall rules — they are closest to the workload
- The default-allow-internal rule, which takes precedence over every other layer
- Hierarchical firewall policies at the organization and folder level
- Network firewall policies in the same region as the source
For a new GCP project, which firewall mechanism does Google recommend over legacy VPC firewall rules?
- Stateful application gateways in front of every workload
- Network Firewall Policies (global or regional)
- Cloud Armor security policies as a substitute for VPC rules
- Org-level IAM conditions to restrict network access
Which Cloud NGFW tier adds intrusion prevention (IPS) and TLS inspection?
- Essentials — included by default with every VPC
- Standard — threat intelligence and FQDN filtering only
- Enterprise — L7 inspection, IPS, and TLS inspection
- Premium — global edge security on top of CDN
Why prefer target service accounts over network tags when matching east-west firewall rules?
- Service accounts allow a single rule to span multiple VPCs without peering
- Service accounts are tied to instances at deploy time and survive redeploys reliably; tags can drift or be removed by mistake
- Service accounts are the only way to match egress traffic in Cloud NGFW
- Tag-based rules are billed per packet evaluation in the NGFW Enterprise tier, whereas service-account matches are evaluated for free at the host
What is the principal trade-off of enabling TLS inspection?
- Lower throughput is the only cost; security and compliance posture stay unchanged
- Genuine L7 visibility into encrypted traffic at the cost of decrypting end-user traffic, managing a CA certificate pool, and the resulting compliance obligations
- It only works for outbound traffic and cannot inspect inbound HTTPS
- It removes the need for client TLS certificates throughout the application, since the firewall terminates and re-issues every session on the workload's behalf at the edge
You got correct