Tags for firewalls

Stay organized with collections Save and categorize content based on your preferences.

Cloud Next Generation Firewall policy rules use tags to define sources and targets. These tags provide granular control over network traffic based on workload attributes, rather than IP addresses.

Cloud NGFW supports two types of firewall tags in firewall rule definition:

• Identity and Access Management (IAM)-governed Tags also referred to as secure tags for firewall policies
• Classic tags also referred to as network tag for Virtual Private Cloud (VPC) firewall rules

Types of tags

In this section learn about the types of tags that are supported by Cloud NGFW.

• IAM-governed Tags (secure tags) in firewall policies are created and managed in the Resource Manager as a key-value pair. For more information, see Tags overview. Tags in firewall policy rules are assigned with a purpose that is --purpose=GCE_FIREWALL, which allows them to be used as part of firewall policy rule definition. Tags are supported by both the global and regional network firewall policies but not by the hierarchical firewall policies and VPC firewall rules.
• Classic tags (network tags) are different from the Tags that are created in Resource Manager. Network tags are character strings added to a tags field in a resource, such as Compute Engine virtual machine (VM) instances or instance templates with no access control. You can choose to assign any value of your choice to the tag field on any VM you own. Network tags can only be used with VPC firewall rules, and are not supported in global or regional network firewall policies or hierarchical firewall policies. For more information about network tags, see Add network tags.

For more information about the differences between Tags and network tags and what products support each one, see Comparison of Tags and network tags.

This page describes how to use IAM-governed Tags (secure tags) in firewall policies.

Specifications

Tags have the following specifications:

• Parent resource: Tags are resources created within an organization or project resource. When you create a Tag to use in a network firewall policy, you choose which Virtual Private Cloud (VPC) network to associate the Tag with.
  • The VPC networks must belong to a project within an organization. If you do not have an organization, see the organization onboarding guide.
• Structure and format: Tags are resources that contain two components: a key and one or more values.
  • You can create a maximum of 1,000 Tag keys in an organization or a project.
  • Each Tag key can have a maximum of 1,000 Tag values.
• Access control: Identity and Access Management (IAM) policies determine which IAM principals can create and use Tags. IAM principals with the Tag Administrator role can create Tag definitions. Along with other necessary IAM permissions, granting a principal the Tag User role lets that user use the Tag when they create VMs and apply network firewall policy rules that use the Tag. Granting the Tag User role lets you delegate the assignment of network firewall policies for VMs to application developers, database administrators, or operational teams. For more information about the required permissions, see IAM roles.
• Binding to VMs: Each Tag can be attached to an unlimited number of VM instances. You can attach a maximum of 10 Tags per network interface (NIC) of a VM. For example:
  • If a VM has a single NIC, you can attach up to 10 Tags. Each Tag must be associated with the same VPC network used by the VM's single NIC.
  • If a VM has two NICs, you can attach up to 10 Tags associated with the VPC network used by nic0 and up to 10 Tags associated with the VPC network used by nic1.
• Firewall support: Only network firewall policies, including regional firewall policies, support Tags. Neither hierarchical firewall policies nor VPC firewall rules support Tags.
  • VPC firewall rules support network tags. For details, see Comparison of Tags and network tags.
• VPC Network Peering support: Ingress rules in a network firewall policy can identify sources in both the same VPC network and peered VPC networks.
  • Service providers who publish services using private services access can let their customers control which of their VM instances are allowed to access a service offered by the provider.
• Tags, targets, and sources: Tags use the VM's network interface as an identity of the sender or recipient:
  • For ingress and egress rules in network firewall policies, you can use the --target-secure-tags parameter to specify the VM instances to which the rule applies. For ingress rules, the target defines the destination; for egress rules, the target defines the source. For more information, see Targets.
  • For ingress rules in network firewall policies, you can use Tags to specify sources with the --src-secure-tags parameter. To learn more about Tags in source parameters of ingress rules, see How source secure tags imply packet sources.

Example

To represent the different functions of VM instances in a network, a Tag administrator can create a Tag with a vm-function key and a list of possible values like database, app-client, and app-server. The Tag administrator can choose any name for either the Tag key and its values.

For more details about creating and using Tags, see Creating and managing tags.

Comparison of Tags and network tags

The following table summarizes the differences between Tags and network tags.

Attribute	Tags	Network tags
Parent resource	Organization or project	Project
Structure and format	Key with up to 1,000 values	Simple string
Access control	Using IAM	No access controls
Instance binding	All network interfaces	All network interfaces
Supported by hierarchical firewall policies
Supported by network firewall policies
Supported by VPC firewall rules
VPC Network Peering	When used to specify a source for an ingress rule in a network firewall policy, a Tag can identify sources in both the VPC network to which the Tag is scoped and any peer VPC networks connected to the VPC network to which the Tag is scoped. When used to specify a target for an ingress or egress rule in a network firewall policy, a Tag can only identify targets in the VPC network to which the Tag is scoped.	When used to specify a source for an ingress VPC firewall rule, a network tag only identifies sources within the VPC network specified in the VPC firewall rule. When used to specify a target for an ingress or egress VPC firewall rule, a network tag only identifies targets within the VPC network specified in the VPC firewall rule.

IAM roles

To create and manage Tag keys and Tag values, you need the Tag Administrator role or a custom role with equivalent permissions. For more information, see Administer tags.

To manage Tags on a VM, you need both of the following:

• Permissions to use the specific Tag
• Permissions to manage the Tag on a specific VM

Task	Permission	Role
Use a Tag	The following permissions for the specific Tag: resourcemanager.tagValueBindings.create resourcemanager.tagValueBindings.delete	Grant the Tag User role on the specific Tag.
Manage a Tag on a VM	The following permissions for the specific VM: compute.instances.createTagBinding compute.instances.deleteTagBinding	Grant one of the following roles on the specific VM. Many roles include the required permissions, including the following: Tag User Compute Instance Admin (v1) Compute Admin

For more information about permissions for Tags, see Manage Tags on resources. For more information about which roles include specific IAM permissions, see IAM permissions reference.

What's next

• To grant permissions to Tags and create Tag keys and values, see Use Tags for firewalls.