You can attach one global network firewall policy and multiple regional network
firewall policies to a Virtual Private Cloud (VPC) network. A global network
firewall policy applies to all subnetworks in all regions of the VPC
network. A regional network firewall policy applies to only the subnetworks
of the VPC network in the target region.
Figure 1 describes the scope of a global network firewall policy
and a regional network firewall policy in a VPC network.
Figure 1. Scope of global and regional network firewall policies.
Example: Deny all external connections except to specific ports
In this use case, a global network firewall policy blocks all connections from
external internet sources except for connections on destination ports 80,
443, and 22. An ingress internet connection on ports other than 80,
443, or 22 is blocked. The rules enforcement is delegated to the regional
network firewall policy for any connections on ports 80, 443, or 22.
In this example, a regional network firewall policy applies to region-a, which
allows internal traffic from source 10.2.0.0/16 and ingress traffic to ports
443 and 80 from any source. Figure 2 describes the
configuration setup for this use case.
Figure 2. Deny all external connections except to specific destination ports.
Effective policy applied in VMs
This section describes the effective network firewall policy applicable in this
example after evaluating the rules across the hierarchy.
Ingress connections
Any ingress connections from 10.0.0.0/8 match the highest priority global
network firewall policy rule delegate-internal-traffic and bypass the rest
of the rules in the global network firewall policy. In the regional network
firewall policy rule, ingress connections from 10.2.0.0/16 are allowed, and
the rest of the connections are evaluated against the implied ingress deny
rule.
Ingress connections with a source IP range other than 10.0.0.0/8, and
destination ports 22, 80, and 443, are delegated to the regional network
firewall policy rule level. In the regional network firewall policy rule,
ports 80 and 443 are allowed, but port 22 is not.
Egress connection
There is no match across the global network firewall policy rules. Therefore,
the implicit system rules apply, which allows egress connections.
How to configure
Create a global network firewall policy that contains the following rule:
gcloud compute network-firewall-policies create \
"example-firewall-policy-global" --global \
--description "Global network firewall policy with rules that apply to all VMs in the VPC network"
gcloud compute network-firewall-policies create \
example-firewall-policy-regional --region=region-a \
--description "Regional network firewall policy with rules that apply to all VMs in region-a"
Associate the regional network firewall policy with a VPC network
to activate the policy rules for any VMs within that network within a specific region:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eGlobal network firewall policies apply to all subnetworks in all regions of a VPC network, while regional network firewall policies apply only to subnetworks in the target region.\u003c/p\u003e\n"],["\u003cp\u003eA global network firewall policy can block all connections from external internet sources except for specified ports, delegating control of those ports to regional policies.\u003c/p\u003e\n"],["\u003cp\u003eIngress connections from specific IP ranges can be delegated by global network firewall policy rules, while connections from other sources can be directed to regional policy evaluation based on destination ports.\u003c/p\u003e\n"],["\u003cp\u003eEgress connections are allowed by default if no matching rules are found in the global network firewall policy, which implies that the implicit system rules are applied.\u003c/p\u003e\n"],["\u003cp\u003eThe provided example demonstrates how to create and associate both global and regional network firewall policies, including rules to manage ingress traffic, delegate connections, and block unwanted external connections.\u003c/p\u003e\n"]]],[],null,["# Global and regional network firewall policy examples\n\nThis page shows examples of global network firewall policy and regional network\nfirewall policy implementations. It assumes that you are familiar with the\nconcepts described in [Global network firewall policies](/firewall/docs/network-firewall-policies)\nand [Regional network firewall policies](/firewall/docs/regional-firewall-policies).\n\nYou can attach one global network firewall policy and multiple regional network\nfirewall policies to a Virtual Private Cloud (VPC) network. A global network\nfirewall policy applies to all subnetworks in all regions of the VPC\nnetwork. A regional network firewall policy applies to only the subnetworks\nof the VPC network in the target region.\n\nFigure 1 describes the scope of a global network firewall policy\nand a regional network firewall policy in a VPC network.\n[](/static/firewall/images/firewall-policies/network-firewall-policy-scope.svg) **Figure 1.** Scope of global and regional network firewall policies.\n\nExample: Deny all external connections except to specific ports\n---------------------------------------------------------------\n\nIn this use case, a global network firewall policy blocks all connections from\nexternal internet sources except for connections on destination ports `80`,\n`443`, and `22`. An ingress internet connection on ports other than `80`,\n`443`, or `22` is blocked. The rules enforcement is delegated to the regional\nnetwork firewall policy for any connections on ports `80`, `443`, or `22`.\n\nIn this example, a regional network firewall policy applies to `region-a`, which\nallows internal traffic from source `10.2.0.0/16` and ingress traffic to ports\n`443` and `80` from any source. Figure 2 describes the\nconfiguration setup for this use case.\n[](/static/firewall/images/firewall-policies/network-firewall-policy-example-01.svg) **Figure 2.** Deny all external connections except to specific destination ports.\n\n### Effective policy applied in VMs\n\nThis section describes the effective network firewall policy applicable in this\nexample after evaluating the rules across the hierarchy.\n\n**Ingress connections**\n\n- Any ingress connections from `10.0.0.0/8` match the highest priority global\n network firewall policy rule `delegate-internal-traffic` and bypass the rest\n of the rules in the global network firewall policy. In the regional network\n firewall policy rule, ingress connections from `10.2.0.0/16` are allowed, and\n the rest of the connections are evaluated against the implied ingress `deny`\n rule.\n\n- Ingress connections with a source IP range other than `10.0.0.0/8`, and\n destination ports `22`, `80`, and `443`, are delegated to the regional network\n firewall policy rule level. In the regional network firewall policy rule,\n ports `80` and `443` are allowed, but port `22` is not.\n\n**Egress connection**\n\n- There is no match across the global network firewall policy rules. Therefore, the implicit system rules apply, which allows egress connections.\n\n### How to configure\n\n1. Create a global network firewall policy that contains the following rule:\n\n ```\n gcloud compute network-firewall-policies create \\\n \"example-firewall-policy-global\" --global \\\n --description \"Global network firewall policy with rules that apply to all VMs in the VPC network\"\n ```\n2. Associate the policy with the VPC network:\n\n ```\n gcloud compute network-firewall-policies associations create \\\n --firewall-policy example-firewall-policy-global \\\n --network my-example-vpc \\\n --global-firewall-policy\n ```\n3. Add a rule to match any ingress connections from `10.0.0.0/8`:\n\n ```\n gcloud compute network-firewall-policies rules create 1000 \\\n --action goto_next \\\n --description \"delegate-internal-traffic\" \\\n --layer4-configs all \\\n --firewall-policy example-firewall-policy-global \\\n --src-ip-ranges 10.0.0.0/8 \\\n --global-firewall-policy\n ```\n4. Add a rule to delegate external traffic from specific ports:\n\n ```\n gcloud compute network-firewall-policies rules create 2000 \\\n --action goto_next \\\n --description \"delegate-external-traffic-spec-ports\" \\\n --layer4-configs tcp:80,tcp:443,tcp:22 \\\n --firewall-policy example-firewall-policy-global \\\n --src-ip-ranges 0.0.0.0/0 \\\n --global-firewall-policy\n ```\n5. Add a rule to block all remaining ingress traffic:\n\n ```\n gcloud compute network-firewall-policies rules create 3000 \\\n --action deny \\\n --description \"block-external-traffic-spec-ports\" \\\n --firewall-policy example-firewall-policy-global \\\n --src-ip-ranges 0.0.0.0/0 \\\n --layer4-configs all \\\n --global-firewall-policy\n ```\n6. Create a regional network firewall policy:\n\n ```\n gcloud compute network-firewall-policies create \\\n example-firewall-policy-regional --region=region-a \\\n --description \"Regional network firewall policy with rules that apply to all VMs in region-a\"\n ```\n7. Associate the regional network firewall policy with a VPC network\n to activate the policy rules for any VMs within that network within a specific region:\n\n ```\n gcloud compute network-firewall-policies associations create \\\n --firewall-policy example-firewall-policy-regional \\\n --network my-example-vpc \\\n --firewall-policy-region=region-a \n ```\n8. Add a rule to allow internal traffic for the regional network firewall policy:\n\n ```\n gcloud compute network-firewall-policies rules create 1000 \\\n --action allow \\\n --firewall-policy example-firewall-policy-regional \\\n --description allow-internal-traffic \\\n --direction INGRESS \\\n --src-ip-ranges 10.2.0.0/16 \\\n --layer4-configs all \\\n --firewall-policy-region=region-a \n ```\n9. Add a rule to allow external traffic from specific ports:\n\n ```\n gcloud compute network-firewall-policies rules create 2000 \\\n --action allow \\\n --firewall-policy example-firewall-policy-regional \\\n --description allow-external-traffic-spec-ports \\\n --direction INGRESS \\\n --layer4-configs=tcp:80,tcp:443 \\\n --src-ip-ranges 0.0.0.0/0 \\\n --firewall-policy-region=region-a\n ```\n\nWhat's next\n-----------\n\n- To create and modify global network firewall policies and rules, see\n [Use global network firewall policies and rules](/firewall/docs/use-network-firewall-policies).\n\n- To create and modify regional network firewall policies and rules, see\n [Use regional network firewall policies and rules](/firewall/docs/use-network-firewall-policies)."]]