Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Google Announces General Availability of New Features for Cloud Firewall

Google Announces General Availability of New Features for Cloud Firewall

Google announced new functionality for Google Cloud Firewall, a managed firewall service that is cloud native and distributed. The new features now in general availability are threat intelligence for Cloud Firewall, geo-location objects, address groups, and local IP ranges. These features are available in two tiers, described in the following table:

The new threat intelligence for Cloud Firewall feature allows administrators to update the firewall rules with a list of threat intelligence data from many sources like Google, third-party data, and open-source databases. Threat Intelligence data includes lists of IPs from these categories:

  • Tor exit nodes: the users who hide their identity behind Tor, the open-source software that allows anonymous communications
  • Known malicious IP addresses: known IPs to be the origin of web application attacks
  • Search engines: IP addresses of site indexing
  • Public cloud IP address ranges: this category avoids malicious automated tools from browsing web applications

Thanks to the Geo-location object, Cloud Firewall allows the administrators to create firewall rules that block or allow ingress and egress traffic from a specific zone around the globe. Google manages the country-to-IP address mapping and the match between the IP addresses associated with the country code and the sources or the traffic destinations based on the traffic's direction.

An address group is a logical collection of IPv4 and IPv6 address ranges in the CIDR format. Thanks to this new feature, it will be easier to maintain the firewall rules. The administrators don’t anymore need to maintain the IP range sets in each rule that reference them. Many different firewall rules and network firewall policies can use address groups.

With local IP range support, the administrators can configure destination IPs in ingress firewall rules to allow ingress traffic targeting from only specific IPs. Before this new feature, when a tag or service account was specified, it was impossible to specify a target workload's IP address. For example, if the target workload is a GKE node with multiple IPs assigned to it, then the previous configuration did not enable you only to allow traffic from a particular IP.

Administrators can activate these new features using Google Console, a command line interface, and API.

About the Author

Rate this Article