Loading...
No results found.

Google Cloud Skills Boost

Apply your skills in Google Cloud console

Your Learning progress might get lost. Sign in or Join to save your progress.
close

Migrate your VPC Firewall Policies to Cloud NGFW

Course · 2 hours 45 minutes
< 1%
complete
Get access to 700+ labs and courses

Cloud NGFW: Migrate VPC Firewall Rules - No Network Tags

Lab 1 hour universal_currency_alt 1 Credit show_chart Intermediate
info This lab may incorporate AI tools to support your learning.
Get access to 700+ labs and courses

GSP608

Overview

Cloud Next Generation Firewall (Cloud NGFW) is a cloud-first firewall service with advanced threat protection, micro-segmentation, and pervasive coverage to protect your Google Cloud workloads from internal and external attacks.

Global network firewall policies enable you to batch update all firewall rules by grouping them into a single policy object. You can assign network firewall policies to a Virtual Private Cloud (VPC) network. These policies contain rules that can explicitly deny or allow connections.

If you currently have VPC firewall rules, there is a migration tool to help you transition from legacy VPC rules to Cloud NGFW's firewall policies. The migration tool creates a global network firewall policy, converts the existing VPC firewall rules into firewall policy rules, and adds the new rules to the policy.

In this lab you will migrate a VPC firewall rule from an exiting network to a global network policy, then apply that policy to 2 VPC networks in your Google Cloud project.

Prerequisites

For this lab it is presumed that you understand how to create a network and apply firewall rules. If you are unfamiliar, stop this lab and take the Create a Custom Network and Apply Firewall Rules lab first.

What you'll learn

In this lab you will learn how to:

  • Identify existing VPC firewall rules in a Google Cloud project
  • Migrate VPC firewall rules to a global network firewall policy
  • Test and verify the migration worked by checking logs

Setup and requirements

Before you click the Start Lab button

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources are made available to you.

This hands-on lab lets you do the lab activities in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials you use to sign in and access Google Cloud for the duration of the lab.

To complete this lab, you need:

  • Access to a standard internet browser (Chrome browser recommended).
Note: Use an Incognito (recommended) or private browser window to run this lab. This prevents conflicts between your personal account and the student account, which may cause extra charges incurred to your personal account.
  • Time to complete the lab—remember, once you start, you cannot pause a lab.
Note: Use only the student account for this lab. If you use a different Google Cloud account, you may incur charges to that account.

How to start your lab and sign in to the Google Cloud console

  1. Click the Start Lab button. If you need to pay for the lab, a dialog opens for you to select your payment method. On the left is the Lab Details pane with the following:

    • The Open Google Cloud console button
    • Time remaining
    • The temporary credentials that you must use for this lab
    • Other information, if needed, to step through this lab

  2. Click Open Google Cloud console (or right-click and select Open Link in Incognito Window if you are running the Chrome browser).

    The lab spins up resources, and then opens another tab that shows the Sign in page.

    Tip: Arrange the tabs in separate windows, side-by-side.

    Note: If you see the Choose an account dialog, click Use Another Account.

  3. If necessary, copy the Username below and paste it into the Sign in dialog.

    {{{user_0.username | "Username"}}}

    You can also find the Username in the Lab Details pane.

  4. Click Next.

  5. Copy the Password below and paste it into the Welcome dialog.

    {{{user_0.password | "Password"}}}

    You can also find the Password in the Lab Details pane.

  6. Click Next.

    Important: You must use the credentials the lab provides you. Do not use your Google Cloud account credentials. Note: Using your own Google Cloud account for this lab may incur extra charges.

  7. Click through the subsequent pages:

    • Accept the terms and conditions.
    • Do not add recovery options or two-factor authentication (because this is a temporary account).
    • Do not sign up for free trials.

After a few moments, the Google Cloud console opens in this tab.

Note: To access Google Cloud products and services, click the Navigation menu or type the service or product name in the Search field.

Activate Cloud Shell

Cloud Shell is a virtual machine that is loaded with development tools. It offers a persistent 5GB home directory and runs on the Google Cloud. Cloud Shell provides command-line access to your Google Cloud resources.

  1. Click Activate Cloud Shell at the top of the Google Cloud console.

  2. Click through the following windows:

    • Continue through the Cloud Shell information window.
    • Authorize Cloud Shell to use your credentials to make Google Cloud API calls.

When you are connected, you are already authenticated, and the project is set to your Project_ID, . The output contains a line that declares the Project_ID for this session:

Your Cloud Platform project in this session is set to {{{project_0.project_id | "PROJECT_ID"}}}

gcloud is the command-line tool for Google Cloud. It comes pre-installed on Cloud Shell and supports tab-completion.

  1. (Optional) You can list the active account name with this command:
gcloud auth list
  1. Click Authorize.

Output:

ACTIVE: * ACCOUNT: {{{user_0.username | "ACCOUNT"}}} To set the active account, run: $ gcloud config set account `ACCOUNT`
  1. (Optional) You can list the project ID with this command:
gcloud config list project

Output:

[core] project = {{{project_0.project_id | "PROJECT_ID"}}} Note: For full documentation of gcloud, in Google Cloud, refer to the gcloud CLI overview guide.

Set your region and zone

Certain Compute Engine resources live in regions and zones. A region is a specific geographical location where you can run your resources. Each region has one or more zones.

  1. Run the following gcloud commands in Cloud Shell to set the default region and zone for your lab:
gcloud config set compute/zone "{{{project_0.default_zone | Zone}}}" export ZONE=$(gcloud config get compute/zone) gcloud config set compute/region "{{{project_0.default_region | Region}}}" export REGION=$(gcloud config get compute/region)
  1. Set your Project ID as an environment variable:
export PROJECT_ID=$(gcloud config get-value project)

For this lab, instead of controlling access through individual user accounts, network-level restrictions are being used. This means if you're on the "approved" external/partner networks, you're in. If not, you're blocked.

Task 1. Assess the environment

Identify the number of existing VPC firewall rules in your network

  1. In the console, from the Navigation menu, select VPC Network and review the networks available for this lab.
  2. Open each network and notice the firewall rules.
  3. Make a note of the priorities associated with each VPC firewall rule

Task 2. Create global firewall rules

Global network firewall policy rules must be created in a global network firewall policy. The rules are not active until you associate the policy that contains those rules with a VPC network.

Each global network firewall policy rule can include either IPv4 or IPv6 ranges, but not both.

  • Create a few global firewall rules:
gcloud compute firewall-rules create allow-ssh-for-admins --direction=INGRESS --action=ALLOW --rules=tcp:22 --source-ranges=10.1.0.0/24,10.2.0.0/24 --description="allow only SSH access for their system administrators" --network=external-network gcloud compute firewall-rules create allow-iap-ssh --direction=INGRESS --action=ALLOW --rules=tcp:22 --source-ranges=35.235.240.0/20 --description="allow traffic from IAP" --network=external-network gcloud compute firewall-rules create allow-health-checks --direction=INGRESS --priority=1000 --network=default --action=ALLOW --rules=tcp:80,tcp:443 --source-ranges=35.191.0.0/16,130.211.0.0/22 --description="allow health checks from Google Cloud Load Balancing" --network=external-network gcloud compute firewall-rules create allow-internal-vpc --direction INGRESS --priority=65534 --allow all --source-ranges=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 --description="allow any intra-vpc traffic" --network=external-network Note: Since Cloud Next Generation Firewall rules have an implicit deny ingress rule, you need to define what is allowed.

Click Check my progress to verify the objective. Create global firewall rules.

Task 3. Migrate the VPC firewall rules

After assessing your environment, migrate your VPC firewall rules to a global network firewall policy by using the compute firewall-rules migrate command. The migration tool creates the global network firewall policy based on the existing VPC firewall rules.

Replace the following:

NETWORK_NAME: the name of your VPC network containing the VPC firewall rules that you want to migrate. For this lab, use external-network.

POLICY_NAME: give a name to the global network firewall policy that will be created during migration.

gcloud beta compute firewall-rules migrate \ --source-network="NETWORK_NAME" --target-firewall-policy="POLICY_NAME" Note: The --replace-association-on-target flag specifies that any existing association is deleted when you create the new association. Note: The migration command does not apply to VPC firewall rules that are automatically created by Google Kubernetes Engine (GKE).

Watch the output for when the VPC firewalls are found, when the new network global firewall policy is created, and when the VPC firewall rules get migrated to it. After it's associated, the global firewall policy rules become active for VMs in the network.

Output:

Looking for VPC Firewalls and Network Firewall Policies associated with VPC Network 'external-network'. Found 0 Network Firewall Policies associated with the VPC Network 'external-network'. Found 2 VPC Firewalls associated with the VPC Network 'external-network'. ... Found 2 selected VPC Firewalls. priority: name 'description' 1000: external-allow-http 'external-allow-http' 1010: external-allow-http-2 'external-allow-http' Creating new Network Firewall Policy 'my-fw-policy'...done. Migrating the following VPC Firewalls: old-priority: rule-name 'rule-description' 1000: external-allow-http 'external-allow-http' 1010: external-allow-http-2 'external-allow-http' Migrating...done.

Click Check my progress to verify the objective. Migrate the VPC firewall rules.

Task 4. Associate the global network firewall policy with your network

The migration tool creates the global network firewall policy based on the existing VPC firewall rules. You must manually associate the policy with the required VPC network to activate the policy rules for any VMs within that network. To associate the global network firewall policy, use the compute network-firewall-policies associations create command.

  1. To associate the global network firewall policy, use the compute network-firewall-policies associations create command.

Replace the following:

NETWORK_NAME: the name of your VPC network containing the firewall rules that you want to migrate. Replace this with external-network.

POLICY_NAME: use the global network firewall policy that you just created.

gcloud compute network-firewall-policies associations create --firewall-policy=POLICY_NAME --network=NETWORK_NAME --global-firewall-policy --replace-association-on-target --project=$PROJECT_ID

The --replace-association-on-target flag specifies that any existing association is deleted when you create the new association.

  1. Now list all global network firewall policies in your project:
gcloud compute network-firewall-policies list --global

The output will confirm that you have only one global firewall policy.

Click Check my progress to verify the objective. Associate the global network firewall policy with your network.

Task 5. Change the policy and rule evaluation order

By default, Cloud Next Generation Firewall evaluates the VPC firewall rules before it evaluates a global network firewall policy. To make sure that global network firewall policies take precedence over VPC firewall rules, use the compute networks update command to change the rule evaluation order.

Prioritize the Firewall Policy over legacy VPC Firewall rules.

  1. Replace NETWORK_NAME with the name of your VPC network, external-network:
gcloud compute networks update NETWORK_NAME --network-firewall-policy-enforcement-order=BEFORE_CLASSIC_FIREWALL
  1. To verify whether the global network firewall policy is evaluated before the VPC firewall rules, use the compute networks get-effective-firewalls command.
gcloud compute networks get-effective-firewalls NETWORK_NAME | grep "TYPE:"

In the output of the preceding command, if TYPE: network-firewall-policy is displayed before TYPE: network-firewall, then the global network firewall policy is evaluated first.

Click Check my progress to verify the objective. Change the policy and rule evaluation order.

Task 6. Enable logging of firewall rules

Firewall Rules Logging lets you audit, verify, and analyze the effects of your firewall rules. For example, you can determine if a firewall rule designed to deny traffic is functioning as intended. Firewall Rules Logging is also useful if you need to determine how many connections are affected by a given firewall rule.

Logging helps you to determine whether a firewall rule is functioning as intended. The migration tool retains the logging status of the existing VPC firewall rules when it creates the new global network firewall policy. To enable logging for firewall policy rules, use the compute network-firewall-policies rules update command, and add in a priority order to ensure the globally policy takes precedence over legacy VPC firewall rules.

FIREWALL-POLICY: Replace with your global firewall policy name

gcloud compute network-firewall-policies rules update 1000 --firewall-policy=POLICY_NAME --enable-logging --global-firewall-policy

To verify the firewall policy is attached to the network, return to VPC network in the Cloud console, and click on the external-network > Firewalls.

Note: You will see hierarchical firewall policy, which applies to the Organization.

Click Check my progress to verify the objective. Enable logging of firewall rule.

Task 7. Test the global network firewall policy

Continued monitoring of hit counts reveals the gradual shift towards the new rules, with the legacy rules eventually receiving zero hits. At this point you should be able to disable the old rules, validate possible negative impacts, then delete the old legacy VPC firewall rules.

Now test your network-level access! if you're on the "approved" external networks, you're in. If not, you're blocked.

Send some traffic to the network that has the global firewall rule. You need to get the external IP address of VMs that are in your VPC Network.

  1. From the Navigation menu click on Compute Engine > VM Instances.
  2. Copy the External IP of the external-server-1
  3. ping the external IP to send some traffic:
ping -c 20 <Enter a external IP here>

Now move to Logs Explorer to see the results.

Check the logs

  1. In the Google Cloud search bar, search for "logging", then right click on Logs Explorer to open a new tab.
  2. Click All resources > Audited Resource, and then click Apply.

  1. Scan through the results and look for the name of the firewalls. You'll notice that the name will change from the VPC firewall to the global firewall policy. Your results should look similar to this:

Check connectivity

For this test you'll use the Network Intelligence Center.

  1. In the Google Cloud search bar, search for "connectivity", then select Connectivity Test from the results.
  2. Enable the Network Management API.
  3. You need to get the external IP address of VMs that are in your VPC Network. From the Navigation menu right click on Compute Engine to open a new window, then click on VM Instances.
  4. Copy the External IP of the external-server-1.
  5. On the Create Connectivity Test screen, click on Create connectivity test.
  6. Name the test, then paste the IP address into the Source IP field.
  7. Return to the VM Instances tab, then copy the External IP for the internal-server-1.
  8. On the Create Connectivity Test screen, paste the IP address into the Destination field.
  9. Click Create.

You'll see that the test is unsuccessful - there is no firewall rule policy to allow tcp traffic to the internal-server-1.

Now repeat the test, switching the direction. Add the internal-server-1 IP as the Source IP and the external-server-1 as the Destination.

Click Check my progress to verify the objective. Test the global network firewall policy.

Task 8. Delete the VPC firewall rules from the network

It is recommended that you disable the VPC firewall rules first before entirely deleting them. You can revert to those rules if the global network firewall policy created by the migration tool fails to provide the expected results. For this lab, move directly to removing the VPC firewall rules now that they are migrated to the global firewall policy.

Be sure to use the individual firewall rule names.

  1. To disable a VPC firewall rule, use the compute firewall-rules update command.

Replace RULE_NAME with the name of the VPC firewall rule to be disabled.

gcloud compute firewall-rules update RULE_NAME --disabled
  1. To delete a VPC firewall rule, use the compute firewall-rules delete command.
gcloud compute firewall-rules delete RULE_NAME

Optional: Delete firewall rules in the console

  1. Return to the Console and go to VPC Networks.
  2. Click on the external-network, then click on the Firewalls tab.
  3. Expand the VPC Network Rules toggle.
  4. Select the 4 firewall rules then click Delete.

Click Check my progress to verify the objective. Delete the VPC firewall rules from the network.

Congratulations!

You have learned how to migrate a VPC firewall rule to a global firewall policy, applied it to 2 networks, verified that it is working, and disabled the legacy firewall rules in preparation of deleting them.

Next Steps

Google Cloud training and certification

...helps you make the most of Google Cloud technologies. Our classes include technical skills and best practices to help you get up to speed quickly and continue your learning journey. We offer fundamental to advanced level training, with on-demand, live, and virtual options to suit your busy schedule. Certifications help you validate and prove your skill and expertise in Google Cloud technologies.

Manual last updated April 4, 2025

Lab last tested April 4, 2025

Copyright 2025 Google LLC. All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.
Previous Next

Before you begin

  1. Labs create a Google Cloud project and resources for a fixed time
  2. Labs have a time limit and no pause feature. If you end the lab, you'll have to restart from the beginning.
  3. On the top left of your screen, click Start lab to begin

This content is not currently available

We will notify you via email when it becomes available

Great!

We will contact you via email if it becomes available

One lab at a time

Confirm to end all existing labs and start this one

Use private browsing to run the lab

Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the Student account, which may cause extra charges incurred to your personal account.
Preview