Cloud NGFW for RoCE VPC networks

Cloud Next Generation Firewall regional network firewall policies can be used by Virtual Private Cloud (VPC) networks that have an associated Remote Direct Memory Access (RDMA) over converged ethernet (RoCE) network profile. RoCE VPC networks are those that are created with an RDMA RoCE network profile.

RoCE VPC networks enable zonal workloads for high performance computing, including AI workloads in Google Cloud. This page describes key differences in Cloud NGFW support for RoCE VPC networks.

Specifications

The following firewall specifications apply to RoCE VPC networks:

Supported firewall rules and policies: RoCE VPC networks only support firewall rules in regional network firewall policies. They don't support global network firewall policies, hierarchical firewall policies, or VPC firewall rules.
Region and policy type: to use a regional network firewall policy with an RoCE VPC network, you must create the policy with the following attributes:
- The region of the firewall policy must contain the zone used by the RoCE network profile of the RoCE VPC network.
- You must set the firewall policy type of the firewall policy to RDMA_ROCE_POLICY.
Consequently, a regional network firewall policy can only be used by RoCE VPC networks in a particular region. A regional network firewall policy can't be used by both RoCE VPC networks and regular VPC networks.
RoCE firewall policy is stateless: RoCE firewall policy processes each packet as an independent unit and doesn't keep track of ongoing connections. Therefore, to ensure two virtual machines (VMs) can communicate, you must create an allow ingress rule in both directions.

Implied firewall rules

RoCE VPC networks use the following implied firewall rules, which are different from the implied firewall rules used by regular VPC networks:

Implied allow egress
Implied allow ingress

An RoCE VPC network without any rules in an associated regional network firewall policy allows all egress and ingress traffic. These implied firewall rules don't support Firewall Rules Logging.

Rule specifications

Rules in a regional network firewall policy with the policy type RDMA_ROCE_POLICY must meet the following requirements:

Ingress direction only: the rule's direction must be ingress. You can't create egress firewall rules in a regional network firewall policy whose policy type is RDMA_ROCE_POLICY.
Target parameter: target secure tags are supported, but target service accounts are not.
Source parameter: only two of the following source parameter values are supported:
- Source IP address ranges (src-ip-ranges) are supported, but the only valid value is 0.0.0.0/0.
- Source secure tags (src-secure-tags) are fully supported. Using secure tags is the suggested way to segment workloads that are in the same RoCE VPC network.
Source secure tags and source IP address ranges are mutually exclusive. For example, if you create a rule with src-ip-ranges=0.0.0.0/0, then you can't use source secure tags (src-secure-tags). Other source parameters that are part of Cloud NGFW Standard—source address groups, source domain names, source geolocations, source Google Threat Intelligence lists—aren't supported.

Note: Target secure tags and source secure tags apply to the virtual machine (VM) network interfaces that send packets. For more information, see Specifications.
Action parameter: both allow and deny actions are supported, with the following constraints:
- An ingress rule with src-ip-ranges=0.0.0.0/0 can use either the ALLOW or DENY action.
- An ingress rule with a source secure tag can only use the ALLOW action.
Protocol and port parameters: the only supported protocol is all (--layer4-configs=all). Rules that apply to specific protocols or ports aren't allowed.

Monitoring and logging

Firewall Rules Logging is supported with the following constraints:

Logs for ingress allow firewall rules are published once per tunnel establishment and provide 2-tuple packet information.
Logs for ingress deny firewall rules are published as sampled packets and provide 5-tuple packet information. Logs are published at a maximum rate of once every 5 seconds, and all firewall logs are limited to 4,000 packets per 5 seconds.

Unsupported features

The following features are unsupported:

Configure RoCE VPC networks

To create firewall rules for an RoCE VPC network, use these guidelines and resources:

The rules in a regional network firewall policy that an RoCE VPC network uses depend on target and source secure tags. Therefore, ensure that you are familiar with create and manage secure tags and bind secure tags to VM instances.
To create RoCE VPC networks and regional network firewall policies for RoCE VPC networks, see Create and manage firewall rules for RoCE VPC networks.
To control ingress traffic and segment your workloads when you create ingress rules in a regional network firewall policy, use the following steps:
- Create an ingress deny firewall rule that specifies src-ip-ranges=0.0.0.0/0 and applies to all VMs in the RoCE VPC network.
- Create higher-priority ingress allow firewall rules that specify target secure tags and source secure tags.
To determine which firewall rules apply to a VM network interface or to view firewall rule logs, see Get effective firewall rules for a VM interface and Use Firewall Rules Logging.