Migrate VPC firewall rules that don't use network tags and service accounts

If your Virtual Private Cloud (VPC) firewall rules don't use any network tags or service accounts, perform the following tasks to migrate the VPC firewall rules to a global network firewall policy:

Assess your environment.
Migrate the VPC firewall rules.
Review the new global network firewall policy.
Complete the postmigration tasks.

Before you begin

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Google Cloud project.

Enable the Compute Engine API.

Enable the API

Install the Google Cloud CLI.

To initialize the gcloud CLI, run the following command:

gcloud init

Note: If you installed the gcloud CLI previously, make sure you have the latest version by running

gcloud components
      update

In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

Go to project selector

Make sure that billing is enabled for your Google Cloud project.

Enable the Compute Engine API.

Enable the API

Install the Google Cloud CLI.

To initialize the gcloud CLI, run the following command:

gcloud init

Note: If you installed the gcloud CLI previously, make sure you have the latest version by running

gcloud components
      update

Make sure that you have the Compute Security Admin role (roles/compute.securityAdmin).

Assess your environment

Identify the number of existing VPC firewall rules in your network.
Make a note of the priorities associated with each VPC firewall rule.
Make sure that you have the required Identity and Access Management (IAM) roles and permissions to create, associate, modify, and view global network firewall policies.

Migrate the VPC firewall rules

After assessing your environment, migrate your VPC firewall rules to a global network firewall policy by using the compute firewall-rules migrate command.

gcloud beta compute firewall-rules migrate \
    --source-network=NETWORK_NAME \
    --target-firewall-policy=POLICY_NAME

Replace the following:

NETWORK_NAME: the name of your VPC network containing the VPC firewall rules that you want to migrate.
POLICY_NAME: the name of the global network firewall policy to create during migration.

Exclude firewall rules from migration

To exclude specific firewall rules from migration, use the gcloud beta compute firewall-rules migrate command with the --exclusion-patterns-file flag:

gcloud beta compute firewall-rules migrate \
    --source-network=NETWORK_NAME \
    --target-firewall-policy=POLICY_NAME \
    --exclusion-patterns-file=EXCLUSION_PATTERNS_FILE

Replace the following:

NETWORK_NAME: the name of your VPC network that contains the VPC firewall rules that you want to migrate.
POLICY_NAME: the name of the global network firewall policy to create during migration.
EXCLUSION_PATTERNS_FILE: the name of the file that contains regular expressions that define VPC firewall naming patterns to exclude from migration. Make sure to specify the full path of the file. Firewall rules that match the specified patterns are skipped.

When defining the exclusion patterns, consider the following:
- Each regular expression must be on its own line and represent a single firewall naming pattern.
- The regular expressions don't contain any leading or trailing whitespaces.

View excluded firewall rules

Based on the excluded firewall rule naming patterns, the migration tool doesn't migrate some firewall rules, such as Google Kubernetes Engine (GKE) firewall rules. To export the list of excluded firewall rule naming patterns, use thegcloud beta compute firewall-rules migrate command with the --export-exclusion-patterns and the --exclusion-patterns-file flags.

gcloud beta compute firewall-rules migrate \
    --source-network=NETWORK_NAME \
    --target-firewall-policy=POLICY_NAME \
    --exclusion-patterns-file=EXCLUSION_PATTERNS_FILE \
    --export-exclusion-patterns

Replace the following:

NETWORK_NAME: the name of your VPC network that contains the VPC firewall rules that you want to migrate.
POLICY_NAME: the name of the global network firewall policy to create during migration.

EXCLUSION_PATTERNS_FILE: the path of the file where the following excluded firewall rule naming patterns are exported.

gke-(.+)-ipv6-all
gke-(.+)-(.+)-((master)|(vms)|(all)|(inkubelet)|(exkubelet)|(mcsd))
k8s-fw-(l7-)?(.+)
k8s-(.+)-((node)|(http)|(node-http))-hc
(.+)-hc
k8s2-(.+)-(.+)-(.+)-(.+)(-fw)?
k8s2-(.+)-l4-shared-hc-fw
gke((gw)|(mcg))1-l7-(.+)-(.+)

To migrate excluded firewall rules that match a specific pattern, remove the pattern from the exported list and run the gcloud beta compute firewall-rules migrate command with the --exclusion-patterns-file flag.

Force migration while preserving evaluation order

During migration, if an excluded firewall rule's evaluation order falls between the evaluation orders of user-specified firewall rules, the migration fails.This happens because the excluded firewall rules are not migrated, and the migration tool cannot preserve the original evaluation order of user-defined rules in the new network firewall policy.

For example, if your firewall rules have the following priorities, the migration fails.

A user-specified rule with priority 100
An excluded rule with priority 200
A user-specified rule with priority 300

To force the migration tool migrate the user-specified rules while preserving their original evaluation order and ignoring excluded firewall rules, use the gcloud beta compute firewall-rules migrate command with the --force flag.

gcloud beta compute firewall-rules migrate \
    --source-network=NETWORK_NAME \
    --target-firewall-policy=POLICY_NAME \
    --force

Replace the following:

NETWORK_NAME: the name of your VPC network that contains the VPC firewall rules that you want to migrate.
POLICY_NAME: the name of the global network firewall policy to create during migration.

Review the new global network firewall policy

Before you attach the new global network firewall policy to a VPC network, Google recommends that you review the policy to help ensure that the migration process has completed accurately.

Verify the firewall policy rules configuration, and check if the following rule components are properly migrated for each rule:

Relative priority
Direction of traffic
Action on match
Log settings
Target parameters
Source parameters (for ingress rules)
Destination parameters (for egress rules)
Protocol and port constraints

For more information about the components of a firewall policy rule, see Firewall policy rules.

Postmigration tasks

To activate and use your global network firewall policy, you must complete the postmigration tasks covered in the following sections.

Associate the global network firewall policy with your network

The migration tool creates the global network firewall policy based on the existing VPC firewall rules. You must manually associate the policy with the required VPC network to activate the policy rules for any VMs within that network. To associate the global network firewall policy, use the compute network-firewall-policies associations create command.

gcloud compute network-firewall-policies associations create \
    --firewall-policy=POLICY_NAME \
    --network=NETWORK_NAME \
    --global-firewall-policy
    --replace-association-on-target

Replace the following:

POLICY_NAME: the name of the global network policy that you want to associate with your VPC network.
NETWORK_NAME: the name of your VPC network.

For more information about associating a global network firewall policy to a VPC network, see Associate a policy with the network.

Change the policy and rule evaluation order

By default, Cloud Next Generation Firewall evaluates the VPC firewall rules before it evaluates a global network firewall policy. To make sure that global network firewall policies take precedence over VPC firewall rules, use the compute networks update command to change the rule evaluation order.

gcloud compute networks update NETWORK-NAME \
    --network-firewall-policy-enforcement-order=BEFORE_CLASSIC_FIREWALL

Replace NETWORK_NAME with the name of your VPC network.

To verify whether the global network firewall policy is evaluated before the VPC firewall rules, use the compute networks get-effective-firewalls command.

gcloud compute networks get-effective-firewalls NETWORK_NAME

In the output of the preceding command, if TYPE: network-firewall-policy is displayed before TYPE: network-firewall, then the global network firewall policy is evaluated first.

For more information about the changing policy and rule evaluation order, see Change policy and rule evaluation order.

Enable logging of firewall rules

Logging helps you to determine whether a firewall rule is functioning as intended. The migration tool retains the logging status of the existing VPC firewall rules when it creates the new global network firewall policy. Make sure that logging is enabled for the rules inside the global network firewall policy. To enable logging for firewall policy rules, use the compute network-firewall-policies rules update command.

gcloud compute network-firewall-policies rules update PRIORITY \
    --firewall-policy=POLICY_NAME \
    --enable-logging
    --global-firewall-policy

Replace the following:

PRIORITY: the priority of the rule to be updated.
POLICY_NAME: the name of the global network firewall policy whose rule you want to update.

Test your global network firewall policy

Before deleting your VPC firewall rules, test your global network firewall policy to check whether the policy rules are working according to your expectations for any traffic that matches the rules.

Do the following:

Ensure that you have enabled logging on VPC firewall rules and the global network firewall policy.
Change the rule evaluation order, so that the global network firewall policy is evaluated before your VPC firewall rules.
Monitor the logs to verify that the global network firewall policy has hit counts and the VPC firewall rules are shadowed.

Delete the VPC firewall rules from your network

Google recommends that you disable the VPC firewall rules first before entirely deleting them. You can revert to those rules if the global network firewall policy created by the migration tool fails to provide the expected results.

To disable a VPC firewall rule, use the compute firewall-rules update command.

gcloud compute firewall-rules update RULE_NAME --disabled

Replace RULE_NAME with the name of the VPC firewall rule to be disabled.

To delete a VPC firewall rule, use the compute firewall-rules delete command.

gcloud compute firewall-rules delete RULE_NAME

What's next

Learn more about migrating VPC firewall rules.
Migrate VPC firewall rules with dependencies.