Filtering web traffic is easy with Cloud Firewall, a cloud-first NGFW with advanced threat protection. How easy? A single policy allows or denies traffic to a domain name and applies as fine-grained as tags or service accounts.

Looking for more examples? Check out the GitHub repository.

Allowing egress to xebia.com

The following policy allows all hosts to access xebia.com:

resource "google_compute_network_firewall_policy_rule" "allow_xebia" {
  project         = var.project_id
  firewall_policy = google_compute_network_firewall_policy.example.name
  priority        = 10000

  action    = "allow"
  direction = "EGRESS"

  match {
    layer4_configs {
      ip_protocol = "tcp"
    }

    dest_fqdns = ["xebia.com"]
  }
}

Allowing egress to xebia.com for selected service account

The following policy allows service account my-service to access xebia.com:

resource "google_compute_network_firewall_policy_rule" "allow_xebia" {
  project         = var.project_id
  firewall_policy = google_compute_network_firewall_policy.example.name
  priority        = 10000

  action                  = "allow"
  direction               = "EGRESS"
  target_service_accounts = [ "my-service@${var.project_id}.iam.gserviceaccount.com" ]

  match {
    layer4_configs {
      ip_protocol = "tcp"
    }

    dest_fqdns = ["xebia.com"]
  }
}

Discussion

This is too easy, what’s the catch? Not much to be frank. Feature set and pricing is reasonable. First, you can’t filter on URL paths, but you can also use it to filter internal traffic. Finally, a fee of 0.018 USD/GB is incurred, which resembles regular inter-region networking fees. If this is too much, consider an public/private network design to reduce the traffic filtered by the firewall.

Conclusion

Cloud Firewall makes it easy to filter web traffic. Simple policies suffice to control traffic at a fine-grained scale.

Image by StockSnap from Pixabay