Filtering web traffic is easy with Cloud Firewall, a cloud-first NGFW with advanced threat protection. How easy? A single policy allows or denies traffic to a domain name and applies as fine-grained as tags or service accounts.
Looking for more examples? Check out the GitHub repository.
Allowing egress to xebia.com
The following policy allows all hosts to access xebia.com
:
resource "google_compute_network_firewall_policy_rule" "allow_xebia" {
project = var.project_id
firewall_policy = google_compute_network_firewall_policy.example.name
priority = 10000
action = "allow"
direction = "EGRESS"
match {
layer4_configs {
ip_protocol = "tcp"
}
dest_fqdns = ["xebia.com"]
}
}
Allowing egress to xebia.com for selected service account
The following policy allows service account my-service
to access xebia.com
:
resource "google_compute_network_firewall_policy_rule" "allow_xebia" {
project = var.project_id
firewall_policy = google_compute_network_firewall_policy.example.name
priority = 10000
action = "allow"
direction = "EGRESS"
target_service_accounts = [ "my-service@${var.project_id}.iam.gserviceaccount.com" ]
match {
layer4_configs {
ip_protocol = "tcp"
}
dest_fqdns = ["xebia.com"]
}
}
Discussion
This is too easy, what’s the catch? Not much to be frank. Feature set and pricing is reasonable. First, you can’t filter on URL paths, but you can also use it to filter internal traffic. Finally, a fee of 0.018 USD/GB is incurred, which resembles regular inter-region networking fees. If this is too much, consider an public/private network design to reduce the traffic filtered by the firewall.
Conclusion
Cloud Firewall makes it easy to filter web traffic. Simple policies suffice to control traffic at a fine-grained scale.