Cloud Next Generation Firewall regional network firewall policies can be used by Virtual Private Cloud (VPC) networks that have an associated Remote Direct Memory Access (RDMA) over converged ethernet (RoCE) network profile. RoCE VPC networks are those that are created with an RDMA RoCE network profile.
RoCE VPC networks enable zonal workloads for high performance computing, including AI workloads in Google Cloud. This page describes key differences in Cloud NGFW support for RoCE VPC networks.
Specifications
The following firewall specifications apply to RoCE VPC networks:
Supported firewall rules and policies: RoCE VPC networks only support firewall rules in regional network firewall policies. They don't support global network firewall policies, hierarchical firewall policies, or VPC firewall rules.
Region and policy type: to use a regional network firewall policy with an RoCE VPC network, you must create the policy with the following attributes:
The region of the firewall policy must contain the zone used by the RoCE network profile of the RoCE VPC network.
You must set the firewall policy type of the firewall policy to
RDMA_ROCE_POLICY
.
Consequently, a regional network firewall policy can only be used by RoCE VPC networks in a particular region. A regional network firewall policy can't be used by both RoCE VPC networks and regular VPC networks.
RoCE firewall policy is stateless: RoCE firewall policy processes each packet as an independent unit and doesn't keep track of ongoing connections. Therefore, to ensure two virtual machines (VMs) can communicate, you must create an allow ingress rule in both directions.
Implied firewall rules
RoCE VPC networks use the following implied firewall rules, which are different from the implied firewall rules used by regular VPC networks:
- Implied allow egress
- Implied allow ingress
An RoCE VPC network without any rules in an associated regional network firewall policy allows all egress and ingress traffic. These implied firewall rules don't support Firewall Rules Logging.
Rule specifications
Rules in a regional network firewall policy with the policy type
RDMA_ROCE_POLICY
must meet the following requirements:
Ingress direction only: the rule's direction must be ingress. You can't create egress firewall rules in a regional network firewall policy whose policy type is
RDMA_ROCE_POLICY
.Target parameter: target secure tags are supported, but target service accounts are not.
Source parameter: only two of the following source parameter values are supported:
Source IP address ranges (
src-ip-ranges
) are supported, but the only valid value is0.0.0.0/0
.Source secure tags (
src-secure-tags
) are fully supported. Using secure tags is the suggested way to segment workloads that are in the same RoCE VPC network.
Source secure tags and source IP address ranges are mutually exclusive. For example, if you create a rule with
src-ip-ranges=0.0.0.0/0
, then you can't use source secure tags (src-secure-tags
). Other source parameters that are part of Cloud NGFW Standard—source address groups, source domain names, source geolocations, source Google Threat Intelligence lists—aren't supported.Action parameter: both allow and deny actions are supported, with the following constraints:
An ingress rule with
src-ip-ranges=0.0.0.0/0
can use either theALLOW
orDENY
action.An ingress rule with a source secure tag can only use the
ALLOW
action.
Protocol and port parameters: the only supported protocol is
all
(--layer4-configs=all
). Rules that apply to specific protocols or ports aren't allowed.
Monitoring and logging
Firewall Rules Logging is supported with the following constraints:
Logs for ingress allow firewall rules are published once per tunnel establishment and provide 2-tuple packet information.
Logs for ingress deny firewall rules are published as sampled packets and provide 5-tuple packet information. Logs are published at a maximum rate of once every 5 seconds, and all firewall logs are limited to 4,000 packets per 5 seconds.
Unsupported features
The following features are unsupported:
Configure RoCE VPC networks
To create firewall rules for an RoCE VPC network, use these guidelines and resources:
The rules in a regional network firewall policy that an RoCE VPC network uses depend on target and source secure tags. Therefore, ensure that you are familiar with create and manage secure tags and bind secure tags to VM instances.
To create RoCE VPC networks and regional network firewall policies for RoCE VPC networks, see Create and manage firewall rules for RoCE VPC networks.
To control ingress traffic and segment your workloads when you create ingress rules in a regional network firewall policy, use the following steps:
Create an ingress deny firewall rule that specifies
src-ip-ranges=0.0.0.0/0
and applies to all VMs in the RoCE VPC network.Create higher-priority ingress allow firewall rules that specify target secure tags and source secure tags.
To determine which firewall rules apply to a VM network interface or to view firewall rule logs, see Get effective firewall rules for a VM interface and Use Firewall Rules Logging.