Use hierarchical firewall policies and rules

This page assumes that you are familiar with the concepts described in Hierarchical firewall policies. To see examples of hierarchical firewall policy implementations, see Hierarchical firewall policy examples.

Limitations

  • Hierarchical firewall policy rules don't support source tags or source service accounts.
  • Hierarchical firewall policy rules don't support using network tags to define targets. You must use a target VPC network or target service account instead.
  • Firewall policies can be applied at the folder and the organization level, but not at the VPC network level. Regular VPC firewall rules are supported for VPC networks.
  • Only one firewall policy can be associated to a resource (folder or organization), although the virtual machine (VM) instances in a folder can inherit rules from the entire hierarchy of resources above the VM.
  • Firewall Rules Logging is supported for allow and deny rules but is not supported for goto_next rules.
  • IPv6 Hop-by-Hop protocol is not supported in firewall rules.

Firewall policy tasks

Create a firewall policy

You can create a policy at any resource (organization or folder) of your organization hierarchy. After you create a policy, you can associate it with any resource of your organization. After it's associated, the policy's rules become active for VMs under the associated resource in the hierarchy.

Console

  1. In the Google Cloud console, go to the Firewall policies page.

    Go to Firewall policies

  2. In the project selector pull-down menu, select your organization ID or a folder within your organization.

  3. Click Create firewall policy.

  4. Give the policy a Name.

  5. If you want to create rules for your policy, click Continue > Add rule.

    For details, see Create firewall rules.

  6. If you want to associate the policy with a resource, click Continue > Associate policy with resources.

    For details, see Associate a policy with the organization or a folder.

  7. Click Create.

gcloud

gcloud compute firewall-policies create \
    [--organization ORG_ID] | --folder FOLDER_ID] \
    --short-name SHORT_NAME

Replace the following:

  • ORG_ID: your organization's ID
    Specify this ID if you are creating the policy at the organization level. This ID only indicates where the policy lives; it does not automatically associate the policy with the organization resource.
  • FOLDER_ID: the ID of a folder
    Specify this ID if you are creating the policy in a given folder. This ID only indicates where the policy lives; it does not automatically associate the policy with that folder.
  • SHORT_NAME: a name for the policy
    A policy created by using the Google Cloud CLI has two names: a system-generated name and a short name provided by you. When using the Google Cloud CLI to update an existing policy, you can provide either the system-generated name or the short name and the organization ID. When using the API to update the policy, you must provide the system-generated name.

Create firewall rules

Hierarchical firewall policy rules must be created in a hierarchical firewall policy. The rules are not active until you associate the containing policy to a resource.

Each hierarchical firewall policy rule can include either IPv4 or IPv6 ranges, but not both.

Console

  1. In the Google Cloud console, go to the Firewall policies page.

    Go to Firewall policies

  2. In the project selector pull-down menu, select your organization ID or the folder that contains your policy.

  3. Click the name of your policy.

  4. Click Add rule.

  5. Populate the rule fields:

    1. Priority: the numeric evaluation order of the rule. The rules are evaluated from highest to lowest priority where 0 is the highest priority. Priorities must be unique for each rule. A good practice is to give rules priority numbers that allow later insertion (such as 100, 200, 300).
    2. Set Logs collection to On or Off.
    3. For Direction of traffic, specify whether this rule is an Ingress or Egress rule.
    4. For Action on match, choose one of the following options:

      1. Allow: allows the connections that match the rule.
      2. Deny: denies the connections that match the rule.
      3. Go to next: the evaluation of the connection is passed to the next lower firewall rule in the hierarchy.
      4. Proceed to L7 inspection: sends the packets to the configured firewall endpoint for Layer 7 inspection.
        • In the Security profile group list, select the name of a security profile group.
        • To enable TLS inspection of the packets, select Enable TLS inspection.

      To learn more about how rules and corresponding actions are evaluated for each network interface of the VM, see Policy and rule evaluation order.

    5. Optional: You can restrict the rule to certain networks by specifying them in the Target networks field. Click ADD NETWORK, and then select the Project and the Network. You can add multiple target networks to a rule.

    6. Optional: You can restrict the rule to VMs that are running with access to certain service accounts by specifying the accounts in the Target service accounts field.

    7. For an Ingress rule, specify the Source filter:

      • To filter incoming traffic by source IPv4 ranges, select IPv4, and then enter the CIDR blocks in the IP range field. Use 0.0.0.0/0 for any IPv4 source.
      • To filter incoming traffic by source IPv6 ranges, select IPv6, and then enter the CIDR blocks into the IP range field. Use ::/0 for any IPv6 source.
    8. For an Egress rule, specify the Destination filter:

      • To filter outgoing traffic by destination IPv4 ranges, select IPv4, and then enter the CIDR blocks in the IP range field. Use 0.0.0.0/0 for any IPv4 destination.
      • To filter outgoing traffic by destination IPv6 ranges, select IPv6, and then enter the CIDR blocks into the IP range field. Use ::/0 for any IPv6 destination.
    9. Optional: If you are creating an Ingress rule, specify the source FQDNs that this rule applies to. If you are creating an Egress rule, select the destination FQDNs that this rule applies to. For more information about domain name objects, see Domain name objects.

    10. Optional: If you are creating an Ingress rule, select the source Geolocations that this rule applies to. If you are creating an Egress rule, select the destination Geolocations that this rule applies to. For more information about geolocation objects, see Geolocation objects.

    11. Optional: If you are creating an Ingress rule, select the source Address groups that this rule applies to. If you are creating an Egress rule, select the destination Address groups that this rule applies to. For more information about address groups, see Address groups for firewall policies.

    12. Optional: If you are creating an Ingress rule, select the source Google Cloud Threat Intelligence lists that this rule applies to. If you are creating an Egress rule, select the destination Google Cloud Threat Intelligence lists that this rule applies to. For more information about Threat Intelligence, see Threat Intelligence for firewall policy rules.

    13. Optional: For an Ingress rule, specify the Destination filters:

      • To filter incoming traffic by destination IPv4 ranges, select IPv4 and enter the CIDR blocks into the IP range field. Use 0.0.0.0/0 for any IPv4 destination.
      • To filter incoming traffic by destination IPv6 ranges, select IPv6 ranges and enter the CIDR blocks into the Destination IPv6 ranges field. Use ::/0 for any IPv6 destination. For more information, see Destination for ingress rules.
    14. Optional: For an Egress rule, specify the Source filter:

      • To filter outgoing traffic by source IPv4 ranges, select IPv4, and then enter the CIDR blocks in the IP range field. Use 0.0.0.0/0 for any IPv4 source.
      • To filter outgoing traffic by source IPv6 ranges, select IPv6, and then enter the CIDR blocks into the IP range field. Use ::/0 for any IPv6 source. For more information, see Source for egress rules.
    15. For Protocols and ports, either specify that the rule applies to all protocols and all destination ports or specify to which protocols and destination ports it applies.

      To specify IPv4 ICMP, use icmp or protocol number 1. To specify IPv6 ICMP, use the protocol number 58. For more information about protocols, see Protocols and ports.

    16. Click Create.

  6. Click Add rule to add another rule.

  7. Click Continue > Associate policy with resources to associate the policy with resources, or click Create to create the policy.

gcloud

gcloud compute firewall-policies rules create PRIORITY \
    [--organization ORG_ID] \
    --firewall-policy POLICY_NAME \
    [--direction DIRECTION] \
    [--src-ip-ranges IP_RANGES] \
    [--dest-ip-ranges IP_RANGES ] \
    [--src-region-codes COUNTRY_CODE,[COUNTRY_CODE,...]] \
    [--dest-region-codes COUNTRY_CODE,[COUNTRY_CODE,...]] \
    [--src-threat-intelligence LIST_NAMES[,LIST_NAME,...]] \
    [--dest-threat-intelligence LIST_NAMES[,LIST_NAME,...]] \
    [--src-address-groups ADDR_GRP_URL[,ADDR_GRP_URL,...]] \
    [--dest-address-groups ADDR_GRP_URL[,ADDR_GRP_URLL,...]] \
    [--dest-fqdns DOMAIN_NAME[,DOMAIN_NAME,...]]
    [--src-fqdns DOMAIN_NAME[,DOMAIN_NAME,...]]
    --action ACTION \
    [--security-profile-group SECURITY_PROFILE_GROUP]  \
    [--tls-inspect | --no--tls-inspect] \
    [--layer4-configs PROTOCOL_PORT] \
    [--target-resources NETWORKS] \
    [--target-service-accounts SERVICE_ACCOUNTS] \
    [--enable-logging | --no-enable-logging] \
    [--disabled]

Replace the following:

  • PRIORITY: the numeric evaluation order of the rule

    The rules are evaluated from highest to lowest priority, where 0 is the highest priority. Priorities must be unique for each rule. A good practice is to give rules priority numbers that allow later insertion (such as 100, 200, 300).

  • ORG_ID: your organization's ID

  • POLICY_NAME: either the short name or the system-generated name of the policy

  • DIRECTION: indicates whether the rule is an INGRESS (the default) or EGRESS rule

    • Include --src-ip-ranges to specify IP ranges for the source of traffic.
    • Include --dest-ip-ranges to specify IP ranges for the destination of traffic.

    For more information, see targets, source, and destination.

  • IP_RANGES: a comma-separated list of CIDR-formatted IP ranges, either all IPv4 ranges or all IPv6 ranges—examples:
    --src-ip-ranges=10.100.0.1/32,10.200.0.0/24
    --src-ip-ranges=2001:0db8:1562::/96,2001:0db8:1723::/96

  • COUNTRY_CODE: a comma-separated list of two-letter country codes

    • For the ingress direction, specify the source country codes in the --src-region-code parameter; you cannot use the --src-region-code parameter for the egress direction
    • For the egress direction, specify the destination country codes in the --dest-region-code parameter; you cannot use the --dest-region-code parameter for the ingress direction
  • LIST_NAMES: a comma-separated list of names of Threat Intelligence lists

    • For the ingress direction, specify the source Threat Intelligence lists in the --src-threat-intelligence parameter; you cannot use the --src-threat-intelligence parameter for the egress direction
    • For the egress direction, specify the destination Threat Intelligence lists in the --dest-threat-intelligence parameter; you cannot use the --dest-threat-intelligence parameter for the ingress direction
  • ADDR_GRP_URL: a unique URL identifier for the address group

    • For the ingress direction, specify the source address groups in the --src-address-groups parameter; you cannot use the --src-address-groups parameter for the egress direction
    • For the egress direction, specify the destination address groups in the --dest-address-groups parameter; you cannot use the --dest-address-groups parameter for the ingress direction
  • DOMAIN_NAME: a comma-separated list of domain names in the format described in Domain name format

    • For the ingress direction, specify the source domain names in the --src-fqdns parameter; you cannot use the --src-fqdns parameter for the egress direction
    • For the egress direction, specify the destination address groups in the --dest-fqdns parameter; you cannot use the --dest-fqdns parameter for the ingress direction
  • ACTION: one of the following actions:

    • allow: allows connections that match the rule
    • deny: denies connections that match the rule
    • apply_security_profile_group: transparently sends the packets to the configured firewall endpoint for Layer 7 inspection
    • goto_next: passes connection evaluation to the next level in the hierarchy, either a folder or the network

    To learn more about how rules and corresponding actions are evaluated for each network interface of the VM, see Policy and rule evaluation order.

  • SECURITY_PROFILE_GROUP: the name of a security profile group used for Layer 7 inspection; specify this parameter only when the apply_security_profile_group action is selected

  • --tls-inspect: inspects the TLS traffic by using the TLS inspection policy when the apply_security_profile_group action is selected in the rule; by default, TLS inspection is disabled, or you can specify --no-tls-inspect

  • PROTOCOL_PORT: a comma-separated list of protocol names or numbers (tcp,17), protocols and destination ports (tcp:80), or protocols and destination port ranges (tcp:5000-6000)

    You cannot specify a port or port range without a protocol. For ICMP, you cannot specify a port or port range—for example: --layer4-configs tcp:80,tcp:443,udp:4000-5000,icmp.

    To specify IPv4 ICMP, use icmp or protocol number 1. To specify IPv6 ICMP, use protocol number 58. For more information, see Protocols and ports.

  • NETWORKS: a comma-separated list of VPC network resource URLs in the form https://www.googleapis.com/compute/v1/projects/PROJECT_ID/global/networks/NETWORK_NAME, where PROJECT_ID is the project ID of the project that contains the VPC network, and NETWORK_NAME is the network name. If omitted, the rule applies to all VPC networks under the resource.

    For more information, see Targets for hierarchical firewall policy rules.

  • SERVICE_ACCOUNTS: a comma-separated list of service accounts; the rule is applied only to VMs that are running with access to the specified service account

    For more information, see Targets for hierarchical firewall policy rules.

  • --enable-logging and --no-enable-logging: enables or disables Firewall Rules Logging for the given rule

  • --disabled: indicates that the firewall rule, although it exists, is not to be considered when processing connections; omitting this flag enables the rule, or you can specify --no-disabled

Associate a policy with the organization or folder

Associate a policy with a resource to activate the policy rules for any VMs under the resource in the hierarchy.

Console

  1. In the Google Cloud console, go to the Firewall policies page.

    Go to Firewall policies

  2. In the project selector pull-down menu, select your organization ID or the folder that contains your policy.

  3. Click your policy.

  4. Click the Associations tab.

  5. Click Add Association.

  6. Select the organization root or select folders within the organization.

  7. Click Add.

gcloud

gcloud compute firewall-policies associations create \
    --firewall-policy POLICY_NAME \
    --organization ORG_ID \
    [ --folder FOLDER_ID ] \
    [ --name ASSOCIATION_NAME ] \
    [ --replace-association-on-target ]

Replace the following:

  • POLICY_NAME: either the short name or the system-generated name of the policy
  • ORG_ID: your organization's ID
  • FOLDER_ID: if you are associating the policy with a folder, specify it here; omit if you are associating the policy to the organization level
  • ASSOCIATION_NAME: an optional name for the association; if unspecified, the name is set to "organization ORG_ID" or "folder FOLDER_ID"
  • --replace-association-on-target
    By default, if you attempt to insert an association to an organization or folder that already has an association, the method fails. If you specify this flag, the existing association is deleted at the same time that the new association is created. This prevents the resource from being without a policy during the transition.

Move a policy from one resource to another

Moving a policy changes which resource owns the policy. To move a policy, you must have move permissions on both the old and new resources.

Moving a policy does not affect any existing policy associations or the evaluation of existing rules, but it might affect who has permissions to modify or associate the policy after the move.

Console

Use the Google Cloud CLI for this procedure.

gcloud

gcloud compute firewall-policies move POLICY_NAME \
    --organization ORG_ID \
    [--folder FOLDER_ID]

Replace the following:

  • POLICY_NAME: either the short name or the system-generated name of the policy that you are moving
  • ORG_ID: your organization's ID; if you are moving the policy to the organization, specify this ID but don't specify a folder
  • FOLDER_ID: if you are associating the policy with a folder, specify it here; omit if you are associating the policy to the organization

Update a policy description

The only policy field that can be updated is the Description field.

Console

  1. In the Google Cloud console, go to the Firewall policies page.

    Go to Firewall policies

  2. In the project selector pull-down menu, select your organization ID or the folder that contains the policy.

  3. Click your policy.

  4. Click Edit.

  5. Modify the Description.

  6. Click Save.

gcloud

gcloud compute firewall-policies update POLICY_NAME \
    --description DESCRIPTION \
    --organization ORG_ID

List policies

Console

  1. In the Google Cloud console, go to the Firewall policies page.

    Go to Firewall policies

  2. In the project selector pull-down menu, select your organization ID or the folder that contains the policy.

    For an organization, the Firewall policies associated with this organization section shows the associated policies. The Firewall policies located in this organization section lists policies that are owned by the organization.

    For a folder, the Firewall policies associated with this folder or inherited by this folder section shows the policies associated or inherited by the folder. The Firewall policies located in this folder section lists policies that are owned by the folder.

gcloud

gcloud compute firewall-policies list \
    [--organization ORG_ID | --folder FOLDER_ID]

Describe a policy

You can see all the details of a policy, including all its firewall rules. In addition, you can see many attributes that are in all the rules in the policy. These attributes count toward a per-policy limit.

Console

  1. In the Google Cloud console, go to the Firewall policies page.

    Go to Firewall policies

  2. In the project selector pull-down menu, select your organization ID or the folder that contains the policy.

  3. Click your policy.

gcloud

gcloud compute firewall-policies describe POLICY_NAME \
    --organization ORG_ID

Delete a policy

You must delete all associations on an organization firewall policy before you can delete it.

Console

  1. In the Google Cloud console, go to the Firewall policies page.

    Go to Firewall policies

  2. In the project selector pull-down menu, select your organization ID or the folder that contains the policy.

  3. Click the policy that you want to delete.

  4. Click the Associations tab.

  5. Select all associations.

  6. Click Remove Associations.

  7. After all associations are removed, click Delete.

gcloud

  1. List all resources associated with a firewall policy:

    gcloud compute firewall-policies describe POLICY_NAME \
        --organization ORG_ID
    
  2. Delete individual associations. To remove the association, you must have the compute.orgSecurityResourceAdmin role on the associated resource or ancestor of that resource.

    gcloud compute firewall-policies associations delete RESOURCE_NAME \
        --organization ORG_ID \
        --firewall-policy POLICY_NAME
    
  3. Delete the policy:

    gcloud compute firewall-policies delete POLICY_NAME \
        --organization ORG_ID
    

List associations for a resource

Console

  1. In the Google Cloud console, go to the Firewall policies page.

    Go to Firewall policies

  2. In the project selector pull-down menu, select your organization ID or the folder that contains the policy.

  3. For the selected resource (organization or folder), a list of associated and inherited policies appears.

gcloud

gcloud compute firewall-policies associations list \
    [--organization ORG_ID | --folder FOLDER_ID]

List associations for a policy

Console

  1. In the Google Cloud console, go to the Firewall policies page.

    Go to Firewall policies

  2. In the project selector pull-down menu, select your organization ID or the folder that contains the policy.

  3. Click your policy.

  4. Click the Associations tab.

  5. Associations are listed in the table.

gcloud

gcloud compute firewall-policies describe POLICY_ID

Delete an association

To stop enforcement of a firewall policy on the organization or a folder, delete the association.

However, if you intend to swap out one firewall policy for another, it is not necessary to delete the existing association first. Doing so would leave a period of time where neither policy is enforced. Instead, replace the existing policy when you associate a new policy.

Console

  1. In the Google Cloud console, go to the Firewall policies page.

    Go to Firewall policies

  2. In the project selector pull-down menu, select your organization ID or the folder that contains the policy.

  3. Click your policy.

  4. Click the Associations tab.

  5. Select the association that you want to delete.

  6. Click Remove Associations.

gcloud

gcloud compute firewall-policies associations delete ASSOCIATION_NAME \
    --firewall-policy POLICY_NAME \
    --organization ORG_ID

Firewall policy rule tasks

Create a rule in an existing firewall policy

See Create firewall rules.

List all rules in a policy

Console

  1. In the Google Cloud console, go to the Firewall policies page.

    Go to Firewall policies

  2. In the project selector pull-down menu, select your organization ID or the folder that contains the policy.

  3. Click your policy. Rules are listed on the Firewall rules tab.

gcloud

gcloud compute firewall-policies list-rules POLICY_NAME \
    --organization ORG_ID

Describe a rule

Console

  1. In the Google Cloud console, go to the Firewall policies page.

    Go to Firewall policies

  2. In the project selector pull-down menu, select your organization ID or the folder that contains the policy.

  3. Click your policy.

  4. Click the priority of the rule.

gcloud

gcloud compute firewall-policies rules describe PRIORITY \
    --organization ORG_ID \
    --firewall-policy POLICY_NAME

Replace the following:

  • PRIORITY: the priority of the rule that you want to view; because each rule must have a unique priority, this setting uniquely identifies a rule
  • ORG_ID: your organization's ID
  • POLICY_NAME: the short name or system-generated name of the policy that contains the rule

Update a rule

For field descriptions, see Creating firewall rules.

Console

  1. In the Google Cloud console, go to the Firewall policies page.

    Go to Firewall policies

  2. In the project selector pull-down menu, select your organization ID or the folder that contains the policy.

  3. Click your policy.

  4. Click the priority of the rule.

  5. Click Edit.

  6. Modify the fields that you want to change.

  7. Click Save.

gcloud

gcloud compute firewall-policies rules update RULE_NAME \
    --firewall-policy POLICY_NAME \
    --organization ORG_ID \
    [...fields you want to modify...]

Clone rules from one policy to another

Remove all rules from the target policy and replace them with the rules in the source policy.

Console

  1. In the Google Cloud console, go to the Firewall policies page.

    Go to Firewall policies

  2. In the project selector pull-down menu, select your organization ID or the folder that contains the policy.

  3. Click the policy that you want to copy rules from.

  4. Click Clone at the top of the screen.

  5. Provide the name of a target policy.

  6. Click Continue > Associate policy with resources if you want to associate the new policy immediately.

  7. Click Clone.

gcloud

gcloud compute firewall-policies clone-rules POLICY_NAME \
    --organization ORG_ID \
    --source-firewall-policy SOURCE_POLICY

Replace the following:

  • POLICY_NAME: the policy to receive the copied rules
  • ORG_ID: your organization's ID
  • SOURCE_POLICY: the policy to copy the rules from; must be the URL of the resource

Delete a rule from a policy

Deleting a rule from a policy removes the rule from all VMs that are inheriting the rule.

Console

  1. In the Google Cloud console, go to the Firewall policies page.

    Go to Firewall policies

  2. In the project selector pull-down menu, select your organization ID or the folder that contains the policy.

  3. Click your policy.

  4. Select the rule that you want to delete.

  5. Click Delete.

gcloud

gcloud compute firewall-policies rules delete PRIORITY \
    --organization ORG_ID \
    --firewall-policy POLICY_NAME

Replace the following:

  • PRIORITY: the priority of the rule that you want to delete from the policy
  • ORG_ID: your organization's ID
  • POLICY_NAME: the policy containing the rule

Get effective firewall rules for a network

Displays all hierarchical firewall policy rules, VPC firewall rules, and global network firewall policy rules applied to a specified VPC network.

Console

  1. In the Google Cloud console, go to the VPC networks page.

    Go to VPC networks

  2. Click the network you want to view firewall policy rules for.

  3. Click Firewall policies.

  4. Expand each firewall policy to view the rules that apply to this network.

gcloud

gcloud compute networks get-effective-firewalls NETWORK_NAME

Replace the following:

  • NETWORK_NAME: the network to get effective rules for

You can also view effective firewall rules for a network from the Firewall page.

Console

  1. In the Google Cloud console, go to the Firewall policies page.

    Go to Firewall policies

  2. The firewall policies are listed in the Firewall policies inherited by this project section.

  3. Click each firewall policy to view the rules that apply to this network.

Get effective firewall rules for a VM interface

Displays all hierarchical firewall policy rules, VPC firewall rules, and global network firewall policy rules applied to a specified Compute Engine VM interface.

Console

  1. In the Google Cloud console, go to the VM instances page.

    Go to VM instances

  2. In the project selector pull-down menu, select the project containing the VM.

  3. Click the VM.

  4. For Network interfaces, click the interface.

  5. Effective firewall rules appear in Firewall and routes details.

gcloud

gcloud compute instances network-interfaces get-effective-firewalls INSTANCE_NAME \
    [--network-interface INTERFACE] \
    [--zone ZONE]

Replace the following:

  • INSTANCE_NAME: the VM to get effective rules for; if no interface is specified, returns rules for the primary interface (nic0)
  • INTERFACE: the VM interface to get effective rules for; default is nic0
  • ZONE: the zone of the VM; optional if the chosen zone is already set as the default

Troubleshooting

This section contains explanations for error messages that you might encounter.

  • FirewallPolicy may not specify a name. One will be provided.

    You cannot specify a policy name. Hierarchical firewall policy "names" are numerical IDs generated by Google Cloud when the policy is created. However, you can specify a friendlier short name that acts as an alias in many contexts.

  • FirewallPolicy may not specify associations on creation.

    Associations can only be created after hierarchical firewall policies are created.

  • Can not move firewall policy to a different organization.

    Hierarchical firewall policy moves must stay within the same organization.

  • The attachment already has an association. Please set the option of replacing existing association to true if you want to replace the old one.

    If a resource is already attached with a hierarchical firewall policy, the attachment operation fails unless the option of replacing the existing associations is set to true.

  • Cannot have rules with the same priorities.

    Priorities of rules are required to be unique within a hierarchical firewall policy.

  • Direction must be specified on firewall policy rule.

    When creating hierarchical firewall policy rules by sending REST requests directly, the direction of the rule must be specified. When using the Google Cloud CLI and no direction is specified, the default is INGRESS.

  • Can not specify enable_logging on a goto_next rule.

    Firewall Logging is not allowed for rules with goto_next action because goto_next actions are used to represent the evaluation order of different firewall policies and are not terminal actions—for example, ALLOW or DENY.

  • Must specify at least one destination on Firewall policy rule.

    The layer4Configs parameter in the firewall policy rule must specify at least one protocol or protocol and destination port.

    For more details about troubleshooting firewall policy rules, see VPC firewall rules troubleshooting.

What's next