The gcp:compute/regionNetworkFirewallPolicyRule:RegionNetworkFirewallPolicyRule resource, part of the Pulumi GCP provider, defines individual firewall rules within a regional network firewall policy: their match conditions, actions, and target scope. This guide focuses on three capabilities: source and destination filtering with match conditions, network scope-based traffic control, and load balancer rule targeting.
Rules belong to RegionNetworkFirewallPolicy resources and reference VPC networks, address groups, secure tags, or service accounts. The examples are intentionally small. Combine them with your own firewall policies and network infrastructure.
Filter ingress traffic with multiple source criteria
Security teams often need to allow traffic from specific sources while blocking everything else. Regional firewall policy rules evaluate incoming connections against IP ranges, FQDNs, threat intelligence feeds, and secure tags.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const basicRegionalNetworksecurityAddressGroup = new gcp.networksecurity.AddressGroup("basic_regional_networksecurity_address_group", {
name: "address-group",
parent: "projects/my-project-name",
description: "Sample regional networksecurity_address_group",
location: "us-west1",
items: ["208.80.154.224/32"],
type: "IPV4",
capacity: 100,
});
const basicRegionalNetworkFirewallPolicy = new gcp.compute.RegionNetworkFirewallPolicy("basic_regional_network_firewall_policy", {
name: "fw-policy",
description: "Sample regional network firewall policy",
project: "my-project-name",
region: "us-west1",
});
const basicNetwork = new gcp.compute.Network("basic_network", {name: "network"});
const basicKey = new gcp.tags.TagKey("basic_key", {
description: "For keyname resources.",
parent: "organizations/123456789",
purpose: "GCE_FIREWALL",
shortName: "tag-key",
purposeData: {
network: pulumi.interpolate`my-project-name/${basicNetwork.name}`,
},
});
const basicValue = new gcp.tags.TagValue("basic_value", {
description: "For valuename resources.",
parent: basicKey.id,
shortName: "tag-value",
});
const primary = new gcp.compute.RegionNetworkFirewallPolicyRule("primary", {
action: "allow",
description: "This is a simple rule description",
direction: "INGRESS",
disabled: false,
enableLogging: true,
firewallPolicy: basicRegionalNetworkFirewallPolicy.name,
priority: 1000,
region: "us-west1",
ruleName: "test-rule",
targetServiceAccounts: ["my@service-account.com"],
match: {
srcAddressGroups: [basicRegionalNetworksecurityAddressGroup.id],
srcIpRanges: ["10.100.0.1/32"],
srcFqdns: ["example.com"],
srcRegionCodes: ["US"],
srcThreatIntelligences: ["iplist-known-malicious-ips"],
layer4Configs: [{
ipProtocol: "all",
}],
srcSecureTags: [{
name: basicValue.id,
}],
},
});
import pulumi
import pulumi_gcp as gcp
basic_regional_networksecurity_address_group = gcp.networksecurity.AddressGroup("basic_regional_networksecurity_address_group",
name="address-group",
parent="projects/my-project-name",
description="Sample regional networksecurity_address_group",
location="us-west1",
items=["208.80.154.224/32"],
type="IPV4",
capacity=100)
basic_regional_network_firewall_policy = gcp.compute.RegionNetworkFirewallPolicy("basic_regional_network_firewall_policy",
name="fw-policy",
description="Sample regional network firewall policy",
project="my-project-name",
region="us-west1")
basic_network = gcp.compute.Network("basic_network", name="network")
basic_key = gcp.tags.TagKey("basic_key",
description="For keyname resources.",
parent="organizations/123456789",
purpose="GCE_FIREWALL",
short_name="tag-key",
purpose_data={
"network": basic_network.name.apply(lambda name: f"my-project-name/{name}"),
})
basic_value = gcp.tags.TagValue("basic_value",
description="For valuename resources.",
parent=basic_key.id,
short_name="tag-value")
primary = gcp.compute.RegionNetworkFirewallPolicyRule("primary",
action="allow",
description="This is a simple rule description",
direction="INGRESS",
disabled=False,
enable_logging=True,
firewall_policy=basic_regional_network_firewall_policy.name,
priority=1000,
region="us-west1",
rule_name="test-rule",
target_service_accounts=["my@service-account.com"],
match={
"src_address_groups": [basic_regional_networksecurity_address_group.id],
"src_ip_ranges": ["10.100.0.1/32"],
"src_fqdns": ["example.com"],
"src_region_codes": ["US"],
"src_threat_intelligences": ["iplist-known-malicious-ips"],
"layer4_configs": [{
"ip_protocol": "all",
}],
"src_secure_tags": [{
"name": basic_value.id,
}],
})
package main
import (
"fmt"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/networksecurity"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/tags"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
basicRegionalNetworksecurityAddressGroup, err := networksecurity.NewAddressGroup(ctx, "basic_regional_networksecurity_address_group", &networksecurity.AddressGroupArgs{
Name: pulumi.String("address-group"),
Parent: pulumi.String("projects/my-project-name"),
Description: pulumi.String("Sample regional networksecurity_address_group"),
Location: pulumi.String("us-west1"),
Items: pulumi.StringArray{
pulumi.String("208.80.154.224/32"),
},
Type: pulumi.String("IPV4"),
Capacity: pulumi.Int(100),
})
if err != nil {
return err
}
basicRegionalNetworkFirewallPolicy, err := compute.NewRegionNetworkFirewallPolicy(ctx, "basic_regional_network_firewall_policy", &compute.RegionNetworkFirewallPolicyArgs{
Name: pulumi.String("fw-policy"),
Description: pulumi.String("Sample regional network firewall policy"),
Project: pulumi.String("my-project-name"),
Region: pulumi.String("us-west1"),
})
if err != nil {
return err
}
basicNetwork, err := compute.NewNetwork(ctx, "basic_network", &compute.NetworkArgs{
Name: pulumi.String("network"),
})
if err != nil {
return err
}
basicKey, err := tags.NewTagKey(ctx, "basic_key", &tags.TagKeyArgs{
Description: pulumi.String("For keyname resources."),
Parent: pulumi.String("organizations/123456789"),
Purpose: pulumi.String("GCE_FIREWALL"),
ShortName: pulumi.String("tag-key"),
PurposeData: pulumi.StringMap{
"network": basicNetwork.Name.ApplyT(func(name string) (string, error) {
return fmt.Sprintf("my-project-name/%v", name), nil
}).(pulumi.StringOutput),
},
})
if err != nil {
return err
}
basicValue, err := tags.NewTagValue(ctx, "basic_value", &tags.TagValueArgs{
Description: pulumi.String("For valuename resources."),
Parent: basicKey.ID(),
ShortName: pulumi.String("tag-value"),
})
if err != nil {
return err
}
_, err = compute.NewRegionNetworkFirewallPolicyRule(ctx, "primary", &compute.RegionNetworkFirewallPolicyRuleArgs{
Action: pulumi.String("allow"),
Description: pulumi.String("This is a simple rule description"),
Direction: pulumi.String("INGRESS"),
Disabled: pulumi.Bool(false),
EnableLogging: pulumi.Bool(true),
FirewallPolicy: basicRegionalNetworkFirewallPolicy.Name,
Priority: pulumi.Int(1000),
Region: pulumi.String("us-west1"),
RuleName: pulumi.String("test-rule"),
TargetServiceAccounts: pulumi.StringArray{
pulumi.String("my@service-account.com"),
},
Match: &compute.RegionNetworkFirewallPolicyRuleMatchArgs{
SrcAddressGroups: pulumi.StringArray{
basicRegionalNetworksecurityAddressGroup.ID(),
},
SrcIpRanges: pulumi.StringArray{
pulumi.String("10.100.0.1/32"),
},
SrcFqdns: pulumi.StringArray{
pulumi.String("example.com"),
},
SrcRegionCodes: pulumi.StringArray{
pulumi.String("US"),
},
SrcThreatIntelligences: pulumi.StringArray{
pulumi.String("iplist-known-malicious-ips"),
},
Layer4Configs: compute.RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArray{
&compute.RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArgs{
IpProtocol: pulumi.String("all"),
},
},
SrcSecureTags: compute.RegionNetworkFirewallPolicyRuleMatchSrcSecureTagArray{
&compute.RegionNetworkFirewallPolicyRuleMatchSrcSecureTagArgs{
Name: basicValue.ID(),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var basicRegionalNetworksecurityAddressGroup = new Gcp.NetworkSecurity.AddressGroup("basic_regional_networksecurity_address_group", new()
{
Name = "address-group",
Parent = "projects/my-project-name",
Description = "Sample regional networksecurity_address_group",
Location = "us-west1",
Items = new[]
{
"208.80.154.224/32",
},
Type = "IPV4",
Capacity = 100,
});
var basicRegionalNetworkFirewallPolicy = new Gcp.Compute.RegionNetworkFirewallPolicy("basic_regional_network_firewall_policy", new()
{
Name = "fw-policy",
Description = "Sample regional network firewall policy",
Project = "my-project-name",
Region = "us-west1",
});
var basicNetwork = new Gcp.Compute.Network("basic_network", new()
{
Name = "network",
});
var basicKey = new Gcp.Tags.TagKey("basic_key", new()
{
Description = "For keyname resources.",
Parent = "organizations/123456789",
Purpose = "GCE_FIREWALL",
ShortName = "tag-key",
PurposeData =
{
{ "network", basicNetwork.Name.Apply(name => $"my-project-name/{name}") },
},
});
var basicValue = new Gcp.Tags.TagValue("basic_value", new()
{
Description = "For valuename resources.",
Parent = basicKey.Id,
ShortName = "tag-value",
});
var primary = new Gcp.Compute.RegionNetworkFirewallPolicyRule("primary", new()
{
Action = "allow",
Description = "This is a simple rule description",
Direction = "INGRESS",
Disabled = false,
EnableLogging = true,
FirewallPolicy = basicRegionalNetworkFirewallPolicy.Name,
Priority = 1000,
Region = "us-west1",
RuleName = "test-rule",
TargetServiceAccounts = new[]
{
"my@service-account.com",
},
Match = new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyRuleMatchArgs
{
SrcAddressGroups = new[]
{
basicRegionalNetworksecurityAddressGroup.Id,
},
SrcIpRanges = new[]
{
"10.100.0.1/32",
},
SrcFqdns = new[]
{
"example.com",
},
SrcRegionCodes = new[]
{
"US",
},
SrcThreatIntelligences = new[]
{
"iplist-known-malicious-ips",
},
Layer4Configs = new[]
{
new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArgs
{
IpProtocol = "all",
},
},
SrcSecureTags = new[]
{
new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyRuleMatchSrcSecureTagArgs
{
Name = basicValue.Id,
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.networksecurity.AddressGroup;
import com.pulumi.gcp.networksecurity.AddressGroupArgs;
import com.pulumi.gcp.compute.RegionNetworkFirewallPolicy;
import com.pulumi.gcp.compute.RegionNetworkFirewallPolicyArgs;
import com.pulumi.gcp.compute.Network;
import com.pulumi.gcp.compute.NetworkArgs;
import com.pulumi.gcp.tags.TagKey;
import com.pulumi.gcp.tags.TagKeyArgs;
import com.pulumi.gcp.tags.TagValue;
import com.pulumi.gcp.tags.TagValueArgs;
import com.pulumi.gcp.compute.RegionNetworkFirewallPolicyRule;
import com.pulumi.gcp.compute.RegionNetworkFirewallPolicyRuleArgs;
import com.pulumi.gcp.compute.inputs.RegionNetworkFirewallPolicyRuleMatchArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var basicRegionalNetworksecurityAddressGroup = new AddressGroup("basicRegionalNetworksecurityAddressGroup", AddressGroupArgs.builder()
.name("address-group")
.parent("projects/my-project-name")
.description("Sample regional networksecurity_address_group")
.location("us-west1")
.items("208.80.154.224/32")
.type("IPV4")
.capacity(100)
.build());
var basicRegionalNetworkFirewallPolicy = new RegionNetworkFirewallPolicy("basicRegionalNetworkFirewallPolicy", RegionNetworkFirewallPolicyArgs.builder()
.name("fw-policy")
.description("Sample regional network firewall policy")
.project("my-project-name")
.region("us-west1")
.build());
var basicNetwork = new Network("basicNetwork", NetworkArgs.builder()
.name("network")
.build());
var basicKey = new TagKey("basicKey", TagKeyArgs.builder()
.description("For keyname resources.")
.parent("organizations/123456789")
.purpose("GCE_FIREWALL")
.shortName("tag-key")
.purposeData(Map.of("network", basicNetwork.name().applyValue(_name -> String.format("my-project-name/%s", _name))))
.build());
var basicValue = new TagValue("basicValue", TagValueArgs.builder()
.description("For valuename resources.")
.parent(basicKey.id())
.shortName("tag-value")
.build());
var primary = new RegionNetworkFirewallPolicyRule("primary", RegionNetworkFirewallPolicyRuleArgs.builder()
.action("allow")
.description("This is a simple rule description")
.direction("INGRESS")
.disabled(false)
.enableLogging(true)
.firewallPolicy(basicRegionalNetworkFirewallPolicy.name())
.priority(1000)
.region("us-west1")
.ruleName("test-rule")
.targetServiceAccounts("my@service-account.com")
.match(RegionNetworkFirewallPolicyRuleMatchArgs.builder()
.srcAddressGroups(basicRegionalNetworksecurityAddressGroup.id())
.srcIpRanges("10.100.0.1/32")
.srcFqdns("example.com")
.srcRegionCodes("US")
.srcThreatIntelligences("iplist-known-malicious-ips")
.layer4Configs(RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArgs.builder()
.ipProtocol("all")
.build())
.srcSecureTags(RegionNetworkFirewallPolicyRuleMatchSrcSecureTagArgs.builder()
.name(basicValue.id())
.build())
.build())
.build());
}
}
resources:
basicRegionalNetworksecurityAddressGroup:
type: gcp:networksecurity:AddressGroup
name: basic_regional_networksecurity_address_group
properties:
name: address-group
parent: projects/my-project-name
description: Sample regional networksecurity_address_group
location: us-west1
items:
- 208.80.154.224/32
type: IPV4
capacity: 100
basicRegionalNetworkFirewallPolicy:
type: gcp:compute:RegionNetworkFirewallPolicy
name: basic_regional_network_firewall_policy
properties:
name: fw-policy
description: Sample regional network firewall policy
project: my-project-name
region: us-west1
primary:
type: gcp:compute:RegionNetworkFirewallPolicyRule
properties:
action: allow
description: This is a simple rule description
direction: INGRESS
disabled: false
enableLogging: true
firewallPolicy: ${basicRegionalNetworkFirewallPolicy.name}
priority: 1000
region: us-west1
ruleName: test-rule
targetServiceAccounts:
- my@service-account.com
match:
srcAddressGroups:
- ${basicRegionalNetworksecurityAddressGroup.id}
srcIpRanges:
- 10.100.0.1/32
srcFqdns:
- example.com
srcRegionCodes:
- US
srcThreatIntelligences:
- iplist-known-malicious-ips
layer4Configs:
- ipProtocol: all
srcSecureTags:
- name: ${basicValue.id}
basicNetwork:
type: gcp:compute:Network
name: basic_network
properties:
name: network
basicKey:
type: gcp:tags:TagKey
name: basic_key
properties:
description: For keyname resources.
parent: organizations/123456789
purpose: GCE_FIREWALL
shortName: tag-key
purposeData:
network: my-project-name/${basicNetwork.name}
basicValue:
type: gcp:tags:TagValue
name: basic_value
properties:
description: For valuename resources.
parent: ${basicKey.id}
shortName: tag-value
The match block defines what traffic the rule applies to. When direction is INGRESS, you can filter by srcAddressGroups (references to networksecurity.AddressGroup resources), srcIpRanges (CIDR blocks), srcFqdns (domain names), srcRegionCodes (ISO country codes), srcThreatIntelligences (Google threat feeds), and srcSecureTags (secure tag values). The layer4Configs property specifies protocols and ports; “all” means any protocol. The targetServiceAccounts property limits the rule to instances running under specific service accounts.
Control egress to internet destinations
Applications that need to reach external services require egress rules. Network scope filtering distinguishes between internet-bound and internal VPC traffic.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const basicRegionalNetworkFirewallPolicy = new gcp.compute.RegionNetworkFirewallPolicy("basic_regional_network_firewall_policy", {
name: "fw-policy",
description: "Sample regional network firewall policy",
project: "my-project-name",
region: "us-west1",
});
const primary = new gcp.compute.RegionNetworkFirewallPolicyRule("primary", {
action: "allow",
description: "This is a simple rule description",
direction: "EGRESS",
disabled: false,
enableLogging: true,
firewallPolicy: basicRegionalNetworkFirewallPolicy.name,
priority: 1000,
region: "us-west1",
ruleName: "test-rule",
match: {
destIpRanges: ["10.100.0.1/32"],
destNetworkScope: "INTERNET",
layer4Configs: [{
ipProtocol: "all",
}],
},
});
import pulumi
import pulumi_gcp as gcp
basic_regional_network_firewall_policy = gcp.compute.RegionNetworkFirewallPolicy("basic_regional_network_firewall_policy",
name="fw-policy",
description="Sample regional network firewall policy",
project="my-project-name",
region="us-west1")
primary = gcp.compute.RegionNetworkFirewallPolicyRule("primary",
action="allow",
description="This is a simple rule description",
direction="EGRESS",
disabled=False,
enable_logging=True,
firewall_policy=basic_regional_network_firewall_policy.name,
priority=1000,
region="us-west1",
rule_name="test-rule",
match={
"dest_ip_ranges": ["10.100.0.1/32"],
"dest_network_scope": "INTERNET",
"layer4_configs": [{
"ip_protocol": "all",
}],
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
basicRegionalNetworkFirewallPolicy, err := compute.NewRegionNetworkFirewallPolicy(ctx, "basic_regional_network_firewall_policy", &compute.RegionNetworkFirewallPolicyArgs{
Name: pulumi.String("fw-policy"),
Description: pulumi.String("Sample regional network firewall policy"),
Project: pulumi.String("my-project-name"),
Region: pulumi.String("us-west1"),
})
if err != nil {
return err
}
_, err = compute.NewRegionNetworkFirewallPolicyRule(ctx, "primary", &compute.RegionNetworkFirewallPolicyRuleArgs{
Action: pulumi.String("allow"),
Description: pulumi.String("This is a simple rule description"),
Direction: pulumi.String("EGRESS"),
Disabled: pulumi.Bool(false),
EnableLogging: pulumi.Bool(true),
FirewallPolicy: basicRegionalNetworkFirewallPolicy.Name,
Priority: pulumi.Int(1000),
Region: pulumi.String("us-west1"),
RuleName: pulumi.String("test-rule"),
Match: &compute.RegionNetworkFirewallPolicyRuleMatchArgs{
DestIpRanges: pulumi.StringArray{
pulumi.String("10.100.0.1/32"),
},
DestNetworkScope: pulumi.String("INTERNET"),
Layer4Configs: compute.RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArray{
&compute.RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArgs{
IpProtocol: pulumi.String("all"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var basicRegionalNetworkFirewallPolicy = new Gcp.Compute.RegionNetworkFirewallPolicy("basic_regional_network_firewall_policy", new()
{
Name = "fw-policy",
Description = "Sample regional network firewall policy",
Project = "my-project-name",
Region = "us-west1",
});
var primary = new Gcp.Compute.RegionNetworkFirewallPolicyRule("primary", new()
{
Action = "allow",
Description = "This is a simple rule description",
Direction = "EGRESS",
Disabled = false,
EnableLogging = true,
FirewallPolicy = basicRegionalNetworkFirewallPolicy.Name,
Priority = 1000,
Region = "us-west1",
RuleName = "test-rule",
Match = new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyRuleMatchArgs
{
DestIpRanges = new[]
{
"10.100.0.1/32",
},
DestNetworkScope = "INTERNET",
Layer4Configs = new[]
{
new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArgs
{
IpProtocol = "all",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.RegionNetworkFirewallPolicy;
import com.pulumi.gcp.compute.RegionNetworkFirewallPolicyArgs;
import com.pulumi.gcp.compute.RegionNetworkFirewallPolicyRule;
import com.pulumi.gcp.compute.RegionNetworkFirewallPolicyRuleArgs;
import com.pulumi.gcp.compute.inputs.RegionNetworkFirewallPolicyRuleMatchArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var basicRegionalNetworkFirewallPolicy = new RegionNetworkFirewallPolicy("basicRegionalNetworkFirewallPolicy", RegionNetworkFirewallPolicyArgs.builder()
.name("fw-policy")
.description("Sample regional network firewall policy")
.project("my-project-name")
.region("us-west1")
.build());
var primary = new RegionNetworkFirewallPolicyRule("primary", RegionNetworkFirewallPolicyRuleArgs.builder()
.action("allow")
.description("This is a simple rule description")
.direction("EGRESS")
.disabled(false)
.enableLogging(true)
.firewallPolicy(basicRegionalNetworkFirewallPolicy.name())
.priority(1000)
.region("us-west1")
.ruleName("test-rule")
.match(RegionNetworkFirewallPolicyRuleMatchArgs.builder()
.destIpRanges("10.100.0.1/32")
.destNetworkScope("INTERNET")
.layer4Configs(RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArgs.builder()
.ipProtocol("all")
.build())
.build())
.build());
}
}
resources:
basicRegionalNetworkFirewallPolicy:
type: gcp:compute:RegionNetworkFirewallPolicy
name: basic_regional_network_firewall_policy
properties:
name: fw-policy
description: Sample regional network firewall policy
project: my-project-name
region: us-west1
primary:
type: gcp:compute:RegionNetworkFirewallPolicyRule
properties:
action: allow
description: This is a simple rule description
direction: EGRESS
disabled: false
enableLogging: true
firewallPolicy: ${basicRegionalNetworkFirewallPolicy.name}
priority: 1000
region: us-west1
ruleName: test-rule
match:
destIpRanges:
- 10.100.0.1/32
destNetworkScope: INTERNET
layer4Configs:
- ipProtocol: all
When direction is EGRESS, the match block uses destIpRanges and destNetworkScope instead of source properties. Setting destNetworkScope to “INTERNET” means the rule applies only to traffic leaving your VPC for external destinations. This lets you allow specific internet endpoints while blocking others.
Allow ingress from specific VPC networks
Multi-VPC architectures often need to allow traffic from specific networks while blocking others. Network scope filtering with VPC_NETWORKS restricts sources to named networks.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const basicRegionalNetworkFirewallPolicy = new gcp.compute.RegionNetworkFirewallPolicy("basic_regional_network_firewall_policy", {
name: "fw-policy",
description: "Sample regional network firewall policy",
project: "my-project-name",
region: "us-west1",
});
const network = new gcp.compute.Network("network", {name: "network"});
const primary = new gcp.compute.RegionNetworkFirewallPolicyRule("primary", {
action: "allow",
description: "This is a simple rule description",
direction: "INGRESS",
disabled: false,
enableLogging: true,
firewallPolicy: basicRegionalNetworkFirewallPolicy.name,
priority: 1000,
region: "us-west1",
ruleName: "test-rule",
match: {
srcIpRanges: ["10.100.0.1/32"],
srcNetworkScope: "VPC_NETWORKS",
srcNetworks: [network.id],
layer4Configs: [{
ipProtocol: "all",
}],
},
});
import pulumi
import pulumi_gcp as gcp
basic_regional_network_firewall_policy = gcp.compute.RegionNetworkFirewallPolicy("basic_regional_network_firewall_policy",
name="fw-policy",
description="Sample regional network firewall policy",
project="my-project-name",
region="us-west1")
network = gcp.compute.Network("network", name="network")
primary = gcp.compute.RegionNetworkFirewallPolicyRule("primary",
action="allow",
description="This is a simple rule description",
direction="INGRESS",
disabled=False,
enable_logging=True,
firewall_policy=basic_regional_network_firewall_policy.name,
priority=1000,
region="us-west1",
rule_name="test-rule",
match={
"src_ip_ranges": ["10.100.0.1/32"],
"src_network_scope": "VPC_NETWORKS",
"src_networks": [network.id],
"layer4_configs": [{
"ip_protocol": "all",
}],
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
basicRegionalNetworkFirewallPolicy, err := compute.NewRegionNetworkFirewallPolicy(ctx, "basic_regional_network_firewall_policy", &compute.RegionNetworkFirewallPolicyArgs{
Name: pulumi.String("fw-policy"),
Description: pulumi.String("Sample regional network firewall policy"),
Project: pulumi.String("my-project-name"),
Region: pulumi.String("us-west1"),
})
if err != nil {
return err
}
network, err := compute.NewNetwork(ctx, "network", &compute.NetworkArgs{
Name: pulumi.String("network"),
})
if err != nil {
return err
}
_, err = compute.NewRegionNetworkFirewallPolicyRule(ctx, "primary", &compute.RegionNetworkFirewallPolicyRuleArgs{
Action: pulumi.String("allow"),
Description: pulumi.String("This is a simple rule description"),
Direction: pulumi.String("INGRESS"),
Disabled: pulumi.Bool(false),
EnableLogging: pulumi.Bool(true),
FirewallPolicy: basicRegionalNetworkFirewallPolicy.Name,
Priority: pulumi.Int(1000),
Region: pulumi.String("us-west1"),
RuleName: pulumi.String("test-rule"),
Match: &compute.RegionNetworkFirewallPolicyRuleMatchArgs{
SrcIpRanges: pulumi.StringArray{
pulumi.String("10.100.0.1/32"),
},
SrcNetworkScope: pulumi.String("VPC_NETWORKS"),
SrcNetworks: pulumi.StringArray{
network.ID(),
},
Layer4Configs: compute.RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArray{
&compute.RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArgs{
IpProtocol: pulumi.String("all"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var basicRegionalNetworkFirewallPolicy = new Gcp.Compute.RegionNetworkFirewallPolicy("basic_regional_network_firewall_policy", new()
{
Name = "fw-policy",
Description = "Sample regional network firewall policy",
Project = "my-project-name",
Region = "us-west1",
});
var network = new Gcp.Compute.Network("network", new()
{
Name = "network",
});
var primary = new Gcp.Compute.RegionNetworkFirewallPolicyRule("primary", new()
{
Action = "allow",
Description = "This is a simple rule description",
Direction = "INGRESS",
Disabled = false,
EnableLogging = true,
FirewallPolicy = basicRegionalNetworkFirewallPolicy.Name,
Priority = 1000,
Region = "us-west1",
RuleName = "test-rule",
Match = new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyRuleMatchArgs
{
SrcIpRanges = new[]
{
"10.100.0.1/32",
},
SrcNetworkScope = "VPC_NETWORKS",
SrcNetworks = new[]
{
network.Id,
},
Layer4Configs = new[]
{
new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArgs
{
IpProtocol = "all",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.RegionNetworkFirewallPolicy;
import com.pulumi.gcp.compute.RegionNetworkFirewallPolicyArgs;
import com.pulumi.gcp.compute.Network;
import com.pulumi.gcp.compute.NetworkArgs;
import com.pulumi.gcp.compute.RegionNetworkFirewallPolicyRule;
import com.pulumi.gcp.compute.RegionNetworkFirewallPolicyRuleArgs;
import com.pulumi.gcp.compute.inputs.RegionNetworkFirewallPolicyRuleMatchArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var basicRegionalNetworkFirewallPolicy = new RegionNetworkFirewallPolicy("basicRegionalNetworkFirewallPolicy", RegionNetworkFirewallPolicyArgs.builder()
.name("fw-policy")
.description("Sample regional network firewall policy")
.project("my-project-name")
.region("us-west1")
.build());
var network = new Network("network", NetworkArgs.builder()
.name("network")
.build());
var primary = new RegionNetworkFirewallPolicyRule("primary", RegionNetworkFirewallPolicyRuleArgs.builder()
.action("allow")
.description("This is a simple rule description")
.direction("INGRESS")
.disabled(false)
.enableLogging(true)
.firewallPolicy(basicRegionalNetworkFirewallPolicy.name())
.priority(1000)
.region("us-west1")
.ruleName("test-rule")
.match(RegionNetworkFirewallPolicyRuleMatchArgs.builder()
.srcIpRanges("10.100.0.1/32")
.srcNetworkScope("VPC_NETWORKS")
.srcNetworks(network.id())
.layer4Configs(RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArgs.builder()
.ipProtocol("all")
.build())
.build())
.build());
}
}
resources:
basicRegionalNetworkFirewallPolicy:
type: gcp:compute:RegionNetworkFirewallPolicy
name: basic_regional_network_firewall_policy
properties:
name: fw-policy
description: Sample regional network firewall policy
project: my-project-name
region: us-west1
primary:
type: gcp:compute:RegionNetworkFirewallPolicyRule
properties:
action: allow
description: This is a simple rule description
direction: INGRESS
disabled: false
enableLogging: true
firewallPolicy: ${basicRegionalNetworkFirewallPolicy.name}
priority: 1000
region: us-west1
ruleName: test-rule
match:
srcIpRanges:
- 10.100.0.1/32
srcNetworkScope: VPC_NETWORKS
srcNetworks:
- ${network.id}
layer4Configs:
- ipProtocol: all
network:
type: gcp:compute:Network
properties:
name: network
The srcNetworkScope property set to “VPC_NETWORKS” activates VPC-based filtering. The srcNetworks property lists network IDs that are allowed as sources. This configuration accepts traffic only from the specified VPC, blocking all other sources including the internet.
Apply rules to internal load balancers
Internal load balancers require firewall rules that target the load balancer infrastructure rather than individual instances.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const net = new gcp.compute.Network("net", {
name: "test-net",
autoCreateSubnetworks: false,
});
const fwPolicy = new gcp.compute.RegionNetworkFirewallPolicy("fw_policy", {
name: "simple-fw-policy",
region: "us-central1",
});
const assoc = new gcp.compute.RegionNetworkFirewallPolicyAssociation("assoc", {
name: "fw-policy-assoc",
region: "us-central1",
firewallPolicy: fwPolicy.id,
attachmentTarget: net.selfLink,
});
const internalManagedLbRule = new gcp.compute.RegionNetworkFirewallPolicyRule("internal_managed_lb_rule", {
region: "us-central1",
firewallPolicy: fwPolicy.name,
priority: 1000,
action: "allow",
direction: "INGRESS",
targetType: "INTERNAL_MANAGED_LB",
match: {
srcIpRanges: ["10.0.0.0/8"],
layer4Configs: [{
ipProtocol: "tcp",
}],
},
});
import pulumi
import pulumi_gcp as gcp
net = gcp.compute.Network("net",
name="test-net",
auto_create_subnetworks=False)
fw_policy = gcp.compute.RegionNetworkFirewallPolicy("fw_policy",
name="simple-fw-policy",
region="us-central1")
assoc = gcp.compute.RegionNetworkFirewallPolicyAssociation("assoc",
name="fw-policy-assoc",
region="us-central1",
firewall_policy=fw_policy.id,
attachment_target=net.self_link)
internal_managed_lb_rule = gcp.compute.RegionNetworkFirewallPolicyRule("internal_managed_lb_rule",
region="us-central1",
firewall_policy=fw_policy.name,
priority=1000,
action="allow",
direction="INGRESS",
target_type="INTERNAL_MANAGED_LB",
match={
"src_ip_ranges": ["10.0.0.0/8"],
"layer4_configs": [{
"ip_protocol": "tcp",
}],
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
net, err := compute.NewNetwork(ctx, "net", &compute.NetworkArgs{
Name: pulumi.String("test-net"),
AutoCreateSubnetworks: pulumi.Bool(false),
})
if err != nil {
return err
}
fwPolicy, err := compute.NewRegionNetworkFirewallPolicy(ctx, "fw_policy", &compute.RegionNetworkFirewallPolicyArgs{
Name: pulumi.String("simple-fw-policy"),
Region: pulumi.String("us-central1"),
})
if err != nil {
return err
}
_, err = compute.NewRegionNetworkFirewallPolicyAssociation(ctx, "assoc", &compute.RegionNetworkFirewallPolicyAssociationArgs{
Name: pulumi.String("fw-policy-assoc"),
Region: pulumi.String("us-central1"),
FirewallPolicy: fwPolicy.ID(),
AttachmentTarget: net.SelfLink,
})
if err != nil {
return err
}
_, err = compute.NewRegionNetworkFirewallPolicyRule(ctx, "internal_managed_lb_rule", &compute.RegionNetworkFirewallPolicyRuleArgs{
Region: pulumi.String("us-central1"),
FirewallPolicy: fwPolicy.Name,
Priority: pulumi.Int(1000),
Action: pulumi.String("allow"),
Direction: pulumi.String("INGRESS"),
TargetType: pulumi.String("INTERNAL_MANAGED_LB"),
Match: &compute.RegionNetworkFirewallPolicyRuleMatchArgs{
SrcIpRanges: pulumi.StringArray{
pulumi.String("10.0.0.0/8"),
},
Layer4Configs: compute.RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArray{
&compute.RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArgs{
IpProtocol: pulumi.String("tcp"),
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var net = new Gcp.Compute.Network("net", new()
{
Name = "test-net",
AutoCreateSubnetworks = false,
});
var fwPolicy = new Gcp.Compute.RegionNetworkFirewallPolicy("fw_policy", new()
{
Name = "simple-fw-policy",
Region = "us-central1",
});
var assoc = new Gcp.Compute.RegionNetworkFirewallPolicyAssociation("assoc", new()
{
Name = "fw-policy-assoc",
Region = "us-central1",
FirewallPolicy = fwPolicy.Id,
AttachmentTarget = net.SelfLink,
});
var internalManagedLbRule = new Gcp.Compute.RegionNetworkFirewallPolicyRule("internal_managed_lb_rule", new()
{
Region = "us-central1",
FirewallPolicy = fwPolicy.Name,
Priority = 1000,
Action = "allow",
Direction = "INGRESS",
TargetType = "INTERNAL_MANAGED_LB",
Match = new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyRuleMatchArgs
{
SrcIpRanges = new[]
{
"10.0.0.0/8",
},
Layer4Configs = new[]
{
new Gcp.Compute.Inputs.RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArgs
{
IpProtocol = "tcp",
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.Network;
import com.pulumi.gcp.compute.NetworkArgs;
import com.pulumi.gcp.compute.RegionNetworkFirewallPolicy;
import com.pulumi.gcp.compute.RegionNetworkFirewallPolicyArgs;
import com.pulumi.gcp.compute.RegionNetworkFirewallPolicyAssociation;
import com.pulumi.gcp.compute.RegionNetworkFirewallPolicyAssociationArgs;
import com.pulumi.gcp.compute.RegionNetworkFirewallPolicyRule;
import com.pulumi.gcp.compute.RegionNetworkFirewallPolicyRuleArgs;
import com.pulumi.gcp.compute.inputs.RegionNetworkFirewallPolicyRuleMatchArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var net = new Network("net", NetworkArgs.builder()
.name("test-net")
.autoCreateSubnetworks(false)
.build());
var fwPolicy = new RegionNetworkFirewallPolicy("fwPolicy", RegionNetworkFirewallPolicyArgs.builder()
.name("simple-fw-policy")
.region("us-central1")
.build());
var assoc = new RegionNetworkFirewallPolicyAssociation("assoc", RegionNetworkFirewallPolicyAssociationArgs.builder()
.name("fw-policy-assoc")
.region("us-central1")
.firewallPolicy(fwPolicy.id())
.attachmentTarget(net.selfLink())
.build());
var internalManagedLbRule = new RegionNetworkFirewallPolicyRule("internalManagedLbRule", RegionNetworkFirewallPolicyRuleArgs.builder()
.region("us-central1")
.firewallPolicy(fwPolicy.name())
.priority(1000)
.action("allow")
.direction("INGRESS")
.targetType("INTERNAL_MANAGED_LB")
.match(RegionNetworkFirewallPolicyRuleMatchArgs.builder()
.srcIpRanges("10.0.0.0/8")
.layer4Configs(RegionNetworkFirewallPolicyRuleMatchLayer4ConfigArgs.builder()
.ipProtocol("tcp")
.build())
.build())
.build());
}
}
resources:
net:
type: gcp:compute:Network
properties:
name: test-net
autoCreateSubnetworks: false
fwPolicy:
type: gcp:compute:RegionNetworkFirewallPolicy
name: fw_policy
properties:
name: simple-fw-policy
region: us-central1
assoc:
type: gcp:compute:RegionNetworkFirewallPolicyAssociation
properties:
name: fw-policy-assoc
region: us-central1
firewallPolicy: ${fwPolicy.id}
attachmentTarget: ${net.selfLink}
internalManagedLbRule:
type: gcp:compute:RegionNetworkFirewallPolicyRule
name: internal_managed_lb_rule
properties:
region: us-central1
firewallPolicy: ${fwPolicy.name}
priority: 1000
action: allow
direction: INGRESS
targetType: INTERNAL_MANAGED_LB
match:
srcIpRanges:
- 10.0.0.0/8
layer4Configs:
- ipProtocol: tcp
The targetType property set to “INTERNAL_MANAGED_LB” directs the rule to internal load balancer components instead of VM instances. This example also shows how rules attach to policies via the firewallPolicy property, and how policies attach to networks via RegionNetworkFirewallPolicyAssociation resources (not shown in the rule itself).
Beyond these examples
These snippets focus on specific rule-level features: ingress and egress filtering with match conditions, network scope and VPC-based source filtering, and load balancer targeting. They’re intentionally minimal rather than full firewall configurations.
The examples may reference pre-existing infrastructure such as RegionNetworkFirewallPolicy resources, VPC networks, address groups, secure tags, and service accounts for instance targeting. They focus on configuring individual rules rather than provisioning the surrounding policy and network infrastructure.
To keep things focused, common rule patterns are omitted, including:
- Security profile groups (securityProfileGroup, tlsInspect)
- Forwarding rule targeting (targetForwardingRules)
- Network context filtering (srcNetworkContext, destNetworkContext)
- Rule management (disabled, ruleName, enableLogging)
These omissions are intentional: the goal is to illustrate how each rule feature is wired, not provide drop-in firewall modules. See the RegionNetworkFirewallPolicyRule resource reference for all available configuration options.
Let's configure GCP Regional Network Firewall Policy Rules
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Rule Configuration & Actions
What actions are available for firewall policy rules?
Four actions are supported:
allow, deny, goto_next, and apply_security_profile_group.How does rule priority work?
Priority is an integer between 0 and 2147483647, where 0 is the highest priority and 2147483647 is the lowest. Rules are evaluated from highest to lowest priority.
What do I need to configure when using apply_security_profile_group?
You must set
securityProfileGroup with a fully-qualified SecurityProfile URL. Optionally, set tlsInspect for TLS decryption. Both properties can only be used with apply_security_profile_group action, and the Security Profile Group must be in the same scope as the rule.Targeting & Scope
Can I use both targetServiceAccounts and targetSecureTags on the same rule?
No,
targetSecureTags and targetServiceAccounts are mutually exclusive. Choose one targeting method per rule.What happens if all my secure tags are INEFFECTIVE?
If all
targetSecureTags are in INEFFECTIVE state, the rule will be ignored and not enforced.How do I apply a rule to internal load balancers?
Set
targetType to INTERNAL_MANAGED_LB and provide targetForwardingRules with forwarding rule URLs (e.g., https://www.googleapis.com/compute/v1/projects/project/regions/region/forwardingRules/forwardingRule).How do I match traffic from specific VPC networks?
For INGRESS rules, use
srcNetworkScope: VPC_NETWORKS with srcNetworks containing network IDs.What's the difference between networkScope and networkContext?
Both filter traffic by network origin/destination. Examples show
destNetworkScope: INTERNET and destNetworkContext: INTERNET used interchangeably for EGRESS rules, and srcNetworkScope vs srcNetworkContext for INGRESS rules.Logging & Monitoring
Can I enable logging on all rule types?
No, you cannot enable logging on
goto_next rules. Logging is only supported for allow, deny, and apply_security_profile_group actions.Immutability & Updates
What properties can't I change after creating a rule?
Four properties are immutable:
firewallPolicy, priority, project, and region. Changing these requires recreating the rule.Match Conditions
How do I match internet-bound traffic in EGRESS rules?
Set
destNetworkScope: INTERNET or destNetworkContext: INTERNET in the match block.Using a different cloud?
Explore networking guides for other cloud providers: