Google Cloud Firewall is a fully distributed, stateful inspection next-generation firewall that is built into our software-defined networking fabric and enforced for each workload. With Cloud Firewall, you can enable advanced network threat protection with operational simplicity at cloud scale.
Today, we are excited to announce the general availability of the fully qualified domain name (FQDN) feature for Cloud Firewall. FQDN is generally available to customers as part of the Cloud Firewall Standard tier, which also includes Google Cloud Threat Intelligence integration and geolocation filtering. We have also extended Google Cloud Threat Intelligence support with new IP reputation lists and released IPV6 and GKE node pool support for IAM-governed tags in Public Preview.
Cloud Firewall features are available in three tiers shown in the graphic below: Essentials, the foundational set of capabilities; Standard, which expands rule capabilities; and Plus, which includes advanced threat protection capabilities. You can check out our Cloud Firewall Plus blog to learn more about the capabilities in Plus tier.
Figure 1: Cloud Firewall Tiers
FQDN-based objects to help easily filter traffic using domain names
With fully qualified domain name (FQDN) based objects, Google Cloud takes care of knowing the exact IP addresses for the FQDN in firewall rules. These objects can be used in rules to allow or block traffic based on FQDN instead of IP addresses, which can help provide the following benefits:
Improved reliability: FQDNs do not change when the underlying IP addresses change. This can help to reduce downtime and improve the reliability of access to your cloud workloads.Easier to use: FQDNs are more human-readable and easier to remember than IP addresses. This can make your firewall rules more understandable by making them self-documenting, so they are easier to audit and maintain.Enhanced security: Cloud Firewall integrates with Cloud DNS for FQDN name resolution to help improve the security of your applications by making DNS spoofing attacks more difficult.
Expanded Threat Intelligence lists for Cloud Firewall
Threat Intelligence for Cloud Firewall leverages a combination of Google, third-party, and open source data to provide curated IP reputation lists to help you block known malicious traffic and allow known good traffic. These lists are maintained and continuously updated by Google Cloud Threat Intelligence researchers.
Threat Intelligence for Cloud Firewall is part of the Cloud Firewall Standard tier, and today we are expanding our coverage with the following new IP lists for Cloud Firewall to help tighten your security posture and help block malicious traffic:
iplist-vpn-providers: Matches IP addresses that belong to low-reputation VPN providersiplist-anon-proxies: Matches IP addresses that belong to open anonymous proxiesiplist-crypto-miners: Matches IP addresses that belong to cryptocurrency mining sitesiplist-public-clouds-google-services: Matches IP addresses that belong to Google services
Enhanced support for tags in firewall policies
We are also pleased to announce IPv6 support, and Google Kubernetes Engine (GKE) node pool support for IAM-governed tags, both available in public preview. Tag support is part of the Cloud Firewall Essentials tier.
Previously, tags only worked with IPv4 based rules. With IPv6 support for tags, you can now use tags as source and destination filters for IPv6 based rules.
With GKE node pool support for resource manager tags, you can selectively enforce Cloud Firewall network firewall policies in GKE clusters and node pools, to help control traffic flow between your VM instances and GKE clusters and node pools. This helps to strengthen your security posture by enabling micro-segmentation down to the GKE node pool level.
Take the next step
Cloud Firewall is a scalable, cloud-first, stateful firewall service with advanced protection capabilities. The latest updates to Cloud Firewall Standard, now available in GA, provide additional capabilities to simplify firewall management to help protect your cloud workloads.
Read More for the details.