GCPSecurityadvanced

GCP Network Security Guide

Comprehensive guide to GCP network security covering hierarchical firewall policies, Cloud NGFW Enterprise, Cloud IDS, Packet Mirroring, VPC Flow Logs, and IAP for zero-trust access.

CloudToolStack Team24 min readPublished Mar 14, 2026

Prerequisites

Solid understanding of GCP VPC networking
Familiarity with firewall concepts and TCP/IP
GCP organization setup for hierarchical policies

Introduction to GCP Network Security

Network security on Google Cloud involves multiple layers of defense, from VPC firewall rules at the instance level to hierarchical firewall policies at the organization level, Cloud Next Generation Firewall (NGFW) for advanced threat detection, Intrusion Detection System (IDS) for network monitoring, and Packet Mirroring for deep packet analysis. A well-architected GCP network security posture uses all of these layers together to implement defense in depth.

GCP's network security model differs from traditional on-premises firewalls in important ways. Instead of perimeter-based security where a single firewall sits between your network and the internet, GCP uses a distributed, software-defined approach where firewall rules are enforced at every VM. This means there is no single chokepoint that can become a bottleneck, and rules are evaluated before traffic ever reaches your VMs.

This guide covers the complete network security stack from basic VPC firewall rules through organization-wide hierarchical policies, Cloud NGFW Enterprise for layer 7 inspection, Cloud IDS for threat detection, and Packet Mirroring for forensic analysis. Each section includes real gcloud commands and Terraform configurations you can adapt for your environment.

Network Security Layers

GCP evaluates firewall rules in a specific order: hierarchical firewall policies (organization and folder level) are evaluated first, then VPC firewall rules, then VPC firewall policies. A "deny" at any level blocks the traffic regardless of lower-level rules. Understanding this evaluation order is critical for troubleshooting connectivity issues.

VPC Firewall Rules

VPC firewall rules are the foundational network security control in GCP. They are stateful, meaning if you allow inbound traffic, the response traffic is automatically allowed. Rules are evaluated per-VM and enforced before traffic reaches the VM's network interface. Every VPC has two implied rules: deny all ingress and allow all egress. You customize access by creating explicit allow or deny rules with priorities.

Firewall Rule Components

Component	Description	Options
Direction	Ingress (inbound) or Egress (outbound)	INGRESS, EGRESS
Priority	0-65535, lower number = higher priority	Default: 1000
Action	Allow or deny matching traffic	allow, deny
Target	Which VMs the rule applies to	All, tags, service accounts
Source/Dest	IP ranges, tags, or service accounts	CIDR ranges, network tags
Protocol/Port	Which traffic matches	tcp:80, udp:53, icmp, all

bash

# List existing firewall rules
gcloud compute firewall-rules list \
  --format="table(name,network,direction,priority,sourceRanges.list():label=SRC_RANGES,allowed[].map().firewall_rule().list():label=ALLOW)"

# Create a rule allowing SSH from a specific IP
gcloud compute firewall-rules create allow-ssh-admin \
  --network=default \
  --direction=INGRESS \
  --priority=1000 \
  --action=ALLOW \
  --rules=tcp:22 \
  --source-ranges=203.0.113.50/32 \
  --target-tags=ssh-allowed \
  --description="Allow SSH from admin IP only"

# Create a rule allowing HTTP/HTTPS from anywhere
gcloud compute firewall-rules create allow-web-traffic \
  --network=default \
  --direction=INGRESS \
  --priority=1000 \
  --action=ALLOW \
  --rules=tcp:80,tcp:443 \
  --source-ranges=0.0.0.0/0 \
  --target-tags=web-server

# Create a deny rule with higher priority (blocks specific IPs)
gcloud compute firewall-rules create deny-known-bad-ips \
  --network=default \
  --direction=INGRESS \
  --priority=500 \
  --action=DENY \
  --rules=all \
  --source-ranges=192.0.2.0/24,198.51.100.0/24 \
  --description="Block known malicious IP ranges"

# Create an egress deny rule (restrict outbound traffic)
gcloud compute firewall-rules create deny-egress-risky-ports \
  --network=default \
  --direction=EGRESS \
  --priority=900 \
  --action=DENY \
  --rules=tcp:25,tcp:445,tcp:1433,tcp:3389 \
  --destination-ranges=0.0.0.0/0 \
  --description="Block outbound SMTP, SMB, MSSQL, RDP"

# Enable firewall rule logging for audit
gcloud compute firewall-rules update allow-ssh-admin \
  --enable-logging \
  --logging-metadata=INCLUDE_ALL_METADATA

Use Service Accounts Over Network Tags

Network tags are mutable and any user with instance admin permissions can change them, potentially bypassing firewall rules. For production environments, use service account based targeting instead. Service account identity is managed through IAM and cannot be changed by users who only have compute admin permissions. This provides a stronger security boundary.

Hierarchical Firewall Policies

Hierarchical firewall policies let organization and folder administrators define firewall rules that are enforced across all VPC networks in the organization or folder. This is essential for implementing organization-wide security baselines like blocking certain ports, allowing centralized monitoring systems, or enforcing compliance requirements that individual project owners cannot override.

bash

# Create an organization-level firewall policy
gcloud compute firewall-policies create \
  --organization=123456789 \
  --short-name=org-security-baseline \
  --description="Organization security baseline rules"

# Add a rule to block all SSH from the internet (org-wide)
gcloud compute firewall-policies rules create 100 \
  --firewall-policy=org-security-baseline \
  --organization=123456789 \
  --direction=INGRESS \
  --action=deny \
  --layer4-configs=tcp:22 \
  --src-ip-ranges=0.0.0.0/0 \
  --description="Block SSH from internet org-wide"

# Add a rule to allow SSH only from corporate VPN
gcloud compute firewall-policies rules create 200 \
  --firewall-policy=org-security-baseline \
  --organization=123456789 \
  --direction=INGRESS \
  --action=allow \
  --layer4-configs=tcp:22 \
  --src-ip-ranges=10.0.0.0/8,172.16.0.0/12 \
  --description="Allow SSH from internal networks only"

# Add a goto-next rule to delegate to VPC-level rules for HTTP
gcloud compute firewall-policies rules create 300 \
  --firewall-policy=org-security-baseline \
  --organization=123456789 \
  --direction=INGRESS \
  --action=goto_next \
  --layer4-configs=tcp:80,tcp:443 \
  --src-ip-ranges=0.0.0.0/0 \
  --description="Delegate HTTP/HTTPS to VPC rules"

# Associate the policy with the organization
gcloud compute firewall-policies associations create \
  --firewall-policy=org-security-baseline \
  --organization=123456789

# List all rules in a policy
gcloud compute firewall-policies rules list \
  --firewall-policy=org-security-baseline \
  --organization=123456789

Hierarchical Policy Evaluation Order

Priority	Layer	Action Options	Scope
1st	Organization firewall policy	Allow, Deny, Go to next	All projects in org
2nd	Folder firewall policy	Allow, Deny, Go to next	All projects in folder
3rd	VPC firewall policy	Allow, Deny, Go to next	Specific VPC network
4th	VPC firewall rules	Allow, Deny	Specific VPC network
5th	Implied rules	Deny ingress, Allow egress	Every VPC

Cloud NGFW (Next Generation Firewall)

Cloud NGFW Enterprise provides layer 7 (application layer) inspection capabilities beyond what traditional firewall rules offer. It can detect and block threats using intrusion prevention signatures, TLS inspection for encrypted traffic, and fully qualified domain name (FQDN) filtering. Cloud NGFW Enterprise is powered by Palo Alto Networks technology integrated directly into the GCP network fabric.

bash

# Create a Cloud NGFW security profile group
gcloud network-security security-profile-groups create my-ngfw-profile \
  --location=global \
  --threat-prevention-profile=\
organizations/123456789/locations/global/securityProfiles/default-threat-prevention \
  --description="NGFW profile with threat prevention"

# Create a firewall policy rule with L7 inspection
gcloud compute network-firewall-policies rules create 100 \
  --firewall-policy=my-vpc-policy \
  --global-firewall-policy \
  --direction=INGRESS \
  --action=apply_security_profile_group \
  --security-profile-group=\
organizations/123456789/locations/global/securityProfileGroups/my-ngfw-profile \
  --layer4-configs=tcp:80,tcp:443 \
  --src-ip-ranges=0.0.0.0/0 \
  --description="Inspect inbound web traffic for threats"

# Create a TLS inspection policy
gcloud network-security tls-inspection-policies create my-tls-policy \
  --location=us-central1 \
  --ca-pool=projects/MY_PROJECT/locations/us-central1/caPools/my-ca-pool \
  --description="TLS inspection for outbound traffic"

# Create FQDN-based egress rules
gcloud compute network-firewall-policies rules create 200 \
  --firewall-policy=my-vpc-policy \
  --global-firewall-policy \
  --direction=EGRESS \
  --action=allow \
  --dest-fqdns="*.googleapis.com","*.gcr.io","*.pkg.dev" \
  --layer4-configs=tcp:443 \
  --description="Allow HTTPS to Google APIs only"

Cloud NGFW Pricing

Cloud NGFW Enterprise is priced per endpoint at approximately $1.75/hr ($1,277/month) plus $0.018/GB of inspected traffic. This is significantly cheaper than deploying third-party virtual firewall appliances (which also require VM compute costs). For most organizations, deploy NGFW endpoints only in zones where you need layer 7 inspection, not in every zone.

Cloud IDS (Intrusion Detection System)

Cloud IDS provides network-based threat detection by analyzing mirrored traffic for known vulnerabilities, malware, spyware, and command-and-control attacks. It uses Palo Alto Networks' threat detection engine to identify threats based on thousands of built-in signatures that are updated automatically. Cloud IDS detects but does not block threats; it generates alerts that you can act on through Cloud Logging, Security Command Center, or automated response workflows.

bash

# Enable the Cloud IDS API
gcloud services enable ids.googleapis.com

# Create a Cloud IDS endpoint
gcloud ids endpoints create my-ids-endpoint \
  --location=us-central1-a \
  --network=my-vpc \
  --severity=INFORMATIONAL \
  --description="IDS endpoint for production VPC"

# Wait for endpoint creation (can take 10-20 minutes)
gcloud ids endpoints describe my-ids-endpoint \
  --location=us-central1-a \
  --format="value(state)"

# Get the endpoint forwarding rule
gcloud ids endpoints describe my-ids-endpoint \
  --location=us-central1-a \
  --format="value(endpointForwardingRule)"

# Create a Packet Mirroring policy to send traffic to IDS
gcloud compute packet-mirrorings create ids-mirror-policy \
  --region=us-central1 \
  --network=my-vpc \
  --collector-ilb=ENDPOINT_FORWARDING_RULE \
  --mirrored-subnets=my-subnet \
  --filter-cidr-ranges=0.0.0.0/0 \
  --filter-protocols=tcp,udp

# View IDS threat logs
gcloud logging read \
  'resource.type="ids.googleapis.com/Endpoint"
   jsonPayload.alert_severity="CRITICAL"' \
  --limit=20 \
  --format="table(timestamp,jsonPayload.name,jsonPayload.alert_severity,jsonPayload.category)"

# List all IDS endpoints
gcloud ids endpoints list --location=us-central1-a

Packet Mirroring for Deep Analysis

Packet Mirroring creates a copy of network traffic and sends it to a collector for inspection. Unlike Cloud IDS which uses a managed collector, Packet Mirroring lets you send traffic to your own analysis tools like Zeek, Suricata, Wireshark, or any network monitoring appliance running on a Compute Engine instance or behind an internal load balancer.

bash

# Create an internal load balancer as the collector
gcloud compute forwarding-rules create mirror-collector-ilb \
  --region=us-central1 \
  --load-balancing-scheme=INTERNAL \
  --network=my-vpc \
  --subnet=my-subnet \
  --backend-service=mirror-collector-backend \
  --ports=ALL \
  --is-mirroring-collector

# Create a packet mirroring policy
gcloud compute packet-mirrorings create security-mirror \
  --region=us-central1 \
  --network=my-vpc \
  --collector-ilb=mirror-collector-ilb \
  --mirrored-subnets=production-subnet \
  --filter-cidr-ranges=0.0.0.0/0 \
  --filter-protocols=tcp \
  --filter-direction=BOTH \
  --description="Mirror all TCP traffic from production subnet"

# Mirror traffic from specific instances only
gcloud compute packet-mirrorings create targeted-mirror \
  --region=us-central1 \
  --network=my-vpc \
  --collector-ilb=mirror-collector-ilb \
  --mirrored-tags=needs-inspection \
  --filter-cidr-ranges=10.0.0.0/8 \
  --filter-protocols=tcp:443 \
  --description="Mirror HTTPS traffic from tagged instances"

# List packet mirroring policies
gcloud compute packet-mirrorings list --region=us-central1

# Disable mirroring (stop traffic copy)
gcloud compute packet-mirrorings update security-mirror \
  --region=us-central1 \
  --no-enable

Security Best Practices

Recommended Firewall Rule Strategy

Layer	Purpose	Example Rules
Organization policy	Block universally dangerous traffic	Deny SSH/RDP from 0.0.0.0/0, block SMTP egress
Folder policy	Environment-specific baselines	Prod: strict egress, Dev: more permissive
VPC firewall policy	Network-specific defaults	Allow health checks, allow IAP for SSH
VPC firewall rules	Application-specific access	Allow port 8080 from load balancer subnets

bash

# Use IAP (Identity-Aware Proxy) for SSH instead of opening port 22
gcloud compute firewall-rules create allow-iap-ssh \
  --network=my-vpc \
  --direction=INGRESS \
  --action=ALLOW \
  --rules=tcp:22 \
  --source-ranges=35.235.240.0/20 \
  --target-tags=iap-ssh \
  --description="Allow SSH via IAP tunnel only"

# Connect to a VM through IAP (no public IP needed)
gcloud compute ssh my-instance --tunnel-through-iap

# Enable VPC Flow Logs for network forensics
gcloud compute networks subnets update my-subnet \
  --region=us-central1 \
  --enable-flow-logs \
  --logging-aggregation-interval=INTERVAL_5_SEC \
  --logging-flow-sampling=1.0 \
  --logging-metadata=INCLUDE_ALL_METADATA

# Query flow logs for suspicious activity
gcloud logging read \
  'resource.type="gce_subnetwork"
   jsonPayload.connection.dest_port=22
   jsonPayload.reporter="DEST"' \
  --limit=50 \
  --format="table(timestamp,jsonPayload.connection.src_ip,jsonPayload.connection.dest_ip,jsonPayload.bytes_sent)"

# Export firewall rules for audit
gcloud compute firewall-rules list \
  --format="json" > firewall-rules-audit.json

Zero Trust with BeyondCorp Enterprise

For a zero-trust security model, combine network security controls with BeyondCorp Enterprise. BeyondCorp uses Identity-Aware Proxy (IAP) to verify user identity and device posture before granting access to applications, eliminating the need for VPN. Users connect through IAP regardless of their network location, and access decisions are based on identity, device health, and context rather than network perimeter.

Cleanup

bash

# Delete firewall rules
gcloud compute firewall-rules delete allow-ssh-admin allow-web-traffic \
  deny-known-bad-ips deny-egress-risky-ports allow-iap-ssh --quiet

# Delete packet mirroring policies
gcloud compute packet-mirrorings delete security-mirror \
  --region=us-central1 --quiet

# Delete IDS endpoints
gcloud ids endpoints delete my-ids-endpoint \
  --location=us-central1-a --quiet

# Delete hierarchical firewall policy associations
gcloud compute firewall-policies associations delete \
  --firewall-policy=org-security-baseline \
  --organization=123456789

# Delete hierarchical firewall policy
gcloud compute firewall-policies delete org-security-baseline \
  --organization=123456789

GCP VPC Network Design Security Command Center Guide GCP Networking Deep Dive

Key Takeaways

1Hierarchical firewall policies enforce organization-wide security baselines that project owners cannot override.
2Cloud NGFW Enterprise provides layer 7 inspection with intrusion prevention at $1.75/hr per endpoint.
3Use service account targeting instead of network tags for stronger firewall rule enforcement.
4Cloud IDS detects threats by analyzing mirrored traffic against thousands of Palo Alto Networks signatures.
5IAP enables zero-trust SSH and RDP access without opening inbound ports or managing VPN infrastructure.
6Firewall rules are evaluated in order: organization policy, folder policy, VPC policy, VPC rules, implied rules.

Frequently Asked Questions

What is the difference between VPC firewall rules and hierarchical policies?

VPC firewall rules are project-scoped and managed by project owners. Hierarchical firewall policies are organization or folder-scoped and managed by central security teams. Hierarchical policies are evaluated first and can deny or allow traffic before VPC rules are checked, making them ideal for organization-wide security baselines.

How much does Cloud NGFW Enterprise cost?

Cloud NGFW Enterprise costs approximately $1.75/hr per endpoint ($1,277/month) plus $0.018/GB of inspected traffic. You deploy endpoints per zone, so a deployment across 3 zones costs about $3,831/month before data processing. This is cheaper than deploying third-party virtual firewall appliances which also require VM costs.

Should I use Cloud IDS or Cloud NGFW?

They serve different purposes. Cloud IDS is detection-only: it monitors mirrored traffic and generates alerts but does not block threats. Cloud NGFW is prevention: it actively blocks threats in-line. Use IDS for monitoring and forensics, and NGFW for active protection. Many organizations deploy both for defense in depth.

Written by CloudToolStack Team

Cloud engineers and architects with hands-on experience across AWS, Azure, and GCP. We write guides based on real-world production patterns, not just documentation rewrites.

Disclaimer: This guide is for educational purposes. Cloud services change frequently; always refer to official documentation for the latest information. AWS, Azure, and GCP are trademarks of their respective owners.