Google Cloud Networking Guide

Google Cloud firewall rules explained for real access control

Firewall rules are one of the most important security controls in Google Cloud networking. They decide whether traffic is allowed or denied as it enters or leaves VM instances, and they work together with VPC design, subnets, routes, load balancers, Cloud NAT, and hybrid connectivity.

Understanding firewall rules is critical because many network problems that look like routing or subnet issues are actually firewall problems. Once you understand direction, action, priority, targets, sources, destinations, protocols, and logging, Google Cloud traffic behavior becomes much easier to reason about. ([docs.cloud.google.com](https://docs.cloud.google.com/firewall/docs/firewalls?utm_source=chatgpt.com))

Back to GCP Hub Open VPC page Open Routes page Start learning

Core concept Firewall rules allow or deny traffic to and from VM instances.

Main factors Direction, action, priority, source or destination, target, protocol, and port.

Key challenge Knowing which rule wins when multiple rules could match.

Best for Cloud engineers, security teams, DevOps teams, and network learners.

What are Google Cloud firewall rules

Google Cloud firewall rules are VPC-level controls that specify whether traffic is allowed or denied based on attributes such as direction, action, priority, source or destination, target, protocol, and port. These rules apply to traffic for VM instances, including workloads behind services that ultimately depend on VM networking behavior. ([docs.cloud.google.com](https://docs.cloud.google.com/firewall/docs/firewalls?utm_source=chatgpt.com))

Security control at the VPC level

Firewall rules are attached to the VPC network model rather than to a single subnet object. That makes them powerful, but it also means teams need to be deliberate about targets and scope.

Rule-based allow or deny logic

A rule can explicitly allow or deny traffic. When multiple rules could apply, Google Cloud evaluates them according to documented priority behavior. ([docs.cloud.google.com](https://docs.cloud.google.com/firewall/docs/firewalls?utm_source=chatgpt.com))

Essential for real troubleshooting

Firewall issues are among the most common reasons workloads cannot reach each other, the internet, or hybrid destinations.

Simple mental model: routes decide the path, but firewall rules decide whether traffic on that path is permitted.

How Google Cloud firewall rules work

Google Cloud evaluates firewall rules by direction and then applies the highest-priority matching rule. Lower numeric priority values have higher precedence. Rules are stateful, which means that allowed connections are tracked so return traffic for those connections is automatically permitted. ([docs.cloud.google.com](https://docs.cloud.google.com/firewall/docs/firewalls?utm_source=chatgpt.com))

Direction matters

Firewall rules are either ingress or egress. Ingress controls incoming traffic to targeted instances, while egress controls outgoing traffic from them.

Priority decides rule precedence

When more than one rule could match, Google Cloud uses priority to determine which rule is evaluated as the effective decision. Lower number means higher priority. ([docs.cloud.google.com](https://docs.cloud.google.com/firewall/docs/firewalls?utm_source=chatgpt.com))

Targets narrow the rule scope

Rules can target all instances in a network or more specific groups by service account or network tag, depending on your design. ([docs.cloud.google.com](https://docs.cloud.google.com/firewall/docs/firewalls?utm_source=chatgpt.com))

Sources and destinations shape match logic

Ingress rules match source ranges or source tags and service accounts, while egress rules use destinations and outbound criteria.

Protocols and ports refine access

Rules can allow or deny traffic for protocols such as TCP, UDP, ICMP, and specific ports or port ranges.

Stateful behavior reduces complexity

Because the firewall is stateful, teams do not have to create separate return-path rules for every allowed connection pattern. ([docs.cloud.google.com](https://docs.cloud.google.com/firewall/docs/firewalls?utm_source=chatgpt.com))

Firewall decision flow

Traffic arrives or leaves

→

Matching rules checked

→

Highest-priority match wins

→

Allow or deny applied

Ingress and egress in Google Cloud

Understanding direction is one of the fastest ways to avoid firewall confusion. Many troubleshooting delays happen because teams think a traffic problem is inbound when it is actually outbound, or vice versa.

Ingress rules

Ingress rules control traffic entering targeted VM instances. Typical examples include allowing HTTPS from the internet, SSH from admin networks, or app-to-database communication from a trusted subnet range.

Egress rules

Egress rules control outbound traffic from targeted VM instances. Typical examples include permitting updates to external package repositories, allowing API calls to partner endpoints, or restricting outbound traffic to approved destinations.

Direction	What it controls	Common example
Ingress	Traffic entering targeted VM instances	Allow HTTPS from internet users to web servers
Egress	Traffic leaving targeted VM instances	Allow app servers to reach external APIs or repositories

Practical rule of thumb: when diagnosing traffic, decide first whether the problem is inbound to the target or outbound from the source. That immediately narrows which rules matter.

Priority, targets, and match scope

A firewall rule is not just allow or deny. The most useful and most misunderstood parts are usually the rule priority and the target definition.

Priority is decisive

In Google Cloud, lower numeric values mean higher priority. If an allow rule has lower priority value than a deny rule, the allow rule can win for matching traffic. ([docs.cloud.google.com](https://docs.cloud.google.com/firewall/docs/firewalls?utm_source=chatgpt.com))

Targets define who the rule applies to

A rule can apply broadly or only to instances with selected network tags or service accounts. This is how teams make rules precise instead of exposing everything in a network.

Source and destination ranges matter

Even a correctly targeted rule might not match the intended traffic if source or destination ranges are too broad, too narrow, or simply wrong.

Common mistake: teams often think a rule exists so traffic should work, but the actual issue is that the rule’s target, source range, or priority does not match the traffic they are testing.

Firewall logging, hierarchical policies, and network firewall policies

Premium Google Cloud security design goes beyond simple VPC firewall rules. Logging and policy layers become important in larger, more governed environments.

Firewall Rules Logging

Firewall Rules Logging helps teams see whether firewall rules allow or deny traffic, which is extremely useful during troubleshooting and audits. ([docs.cloud.google.com](https://docs.cloud.google.com/firewall/docs/firewalls?utm_source=chatgpt.com))

Hierarchical firewall policies

Hierarchical firewall policies let organizations define firewall controls above the individual VPC level so policies can apply across folders and projects. ([docs.cloud.google.com](https://docs.cloud.google.com/firewall/docs/hierarchical-firewall-policies?utm_source=chatgpt.com))

Network firewall policies

Network firewall policies provide another way to manage reusable and more centrally governed firewall logic across environments. ([docs.cloud.google.com](https://docs.cloud.google.com/firewall/docs/network-firewall-policies?utm_source=chatgpt.com))

Operational maturity step: basic environments use individual VPC firewall rules, but larger organizations usually need logging, reusable policy structure, and organization-level control.

Real traffic flow examples

Firewall rules make much more sense when you connect them to actual application and operations scenarios.

Internet users to web app

A public load balancer and backend VM pattern still depends on the correct ingress access model to allow expected web traffic and deny unwanted traffic.

App tier to database tier

Database servers usually should not be open broadly. A precise ingress rule from the app tier or app service account is safer than wide subnet exposure.

Private VM to internet repositories

Even with Cloud NAT configured, outbound firewall policy can still block package updates or API calls if the egress rule model is too restrictive.

Hybrid admin access

Administrative access from on-premises networks through VPN or Interconnect depends on both routing and correct ingress rule matching.

Restricted east-west communication

Internal workloads often need carefully limited east-west traffic rules so only trusted services can talk to each other.

Partner or API egress control

Some organizations use outbound firewall control to limit which external destinations sensitive workloads are allowed to reach.

Example flow: app to database

App VM

→

Route path exists

→

Firewall ingress match checked

→

Database VM allowed or denied

Google Cloud firewall rules vs AWS and Azure

Comparison helps engineers who already know another cloud platform and also improves discoverability for multi-cloud search.

Feature	Google Cloud	AWS	Azure
Main firewall model	VPC firewall rules and policy layers	Security groups and NACLs	NSGs and Azure Firewall patterns
Stateful behavior	Stateful	Security groups are stateful	NSGs are stateful
Priority handling	Lower number = higher priority	Different rule evaluation models by service	Priority-based rule ordering in NSGs
Targeting model	Network tags and service accounts are important	Attachment to ENIs and resource groups	Attachment to subnet/NIC through NSGs
Enterprise policy layer	Hierarchical and network firewall policies	Different org/account-level governance patterns	Policy and central firewall models differ

Main takeaway: Google Cloud firewall rules feel especially distinctive because of their VPC-level design plus the importance of targets, priorities, logging, and organization-wide policy layers.

Best practices for Google Cloud firewall rules

Good firewall design is about being explicit, narrow, and understandable rather than just making traffic work once.

Use least privilege

Allow only the traffic that is needed, from the sources that are needed, to the targets that actually require it.

Prefer precise targets

Use meaningful network tags or service-account-based targeting instead of broad rules that apply to everything in a network.

Document priority intent

Priority numbers should not be random. Make it obvious why a rule is higher or lower precedence than surrounding rules.

Enable logging where it matters

Logging is especially useful for sensitive workloads, recurring incidents, audits, and rules that teams frequently debate.

Separate admin and application access

Management traffic should not use the same broad rule patterns as user-facing application traffic.

Review policy layers regularly

In larger organizations, verify how VPC rules interact with hierarchical or network firewall policies so no hidden governance layer surprises the team.

Common firewall mistakes

These are the practical mistakes that repeatedly cause network outages, security gaps, or confusing diagnostics.

Rule exists but target is wrong

The firewall rule may be valid, but if the intended instance does not match the target tags or service account, the rule has no effect for that workload.

Priority misunderstanding

Teams often assume the newest rule wins or that allow always beats deny. In reality, priority and match logic decide the outcome. ([docs.cloud.google.com](https://docs.cloud.google.com/firewall/docs/firewalls?utm_source=chatgpt.com))

Using broad source ranges

Large source ranges make rules easier to create but harder to secure and audit later.

Ignoring egress

Many teams focus only on ingress and forget that outbound restrictions or missing egress allowances can break application behavior.

No logging during complex incidents

Without logging, teams may spend too much time guessing whether the firewall is involved.

Confusing route and firewall issues

A valid route does not mean traffic is allowed, and a valid allow rule does not mean the route path exists.

Troubleshooting firewall-related issues

Firewall troubleshooting works best when you validate the whole communication chain instead of only looking for a rule name that seems relevant.

Traffic between two internal workloads fails

Check that the workloads are in reachable subnets and valid route paths exist.
Confirm the target instance actually matches the intended firewall rule target.
Review source range, direction, protocol, and port.

Internet traffic cannot reach a web workload

Check that the frontend architecture is correct for internet access.
Validate ingress rule direction and allowed protocol and port.
Review whether a broader deny or higher-priority conflicting rule exists.

Private VM cannot reach external services

Check egress rules in addition to Cloud NAT or internet egress architecture.
Review whether destination restrictions are blocking expected traffic.
Confirm route path and NAT path exist alongside firewall allowances.

Hybrid admin traffic fails

Validate route learning and hybrid path first.
Then confirm the ingress firewall rule matches source range and target.
Use logging if available to confirm allow or deny behavior.

Troubleshooting tip: validate the chain in order: source, route path, direction, firewall rule match, priority, target, protocol and port, then destination behavior.

Where to go after firewall rules

Once firewall behavior makes sense, the next pages to study are the ones that explain route paths, dynamic routing, and outbound internet design in more detail.

GCP VPC

Understand the larger network model firewall rules belong to.

Open GCP VPC page →

Subnets

See how subnet design and firewall targeting interact in real architectures.

Open Subnets page →

Routes

Learn how path selection and firewall decisions work together.

Open Routes page →

Cloud Router

Important when firewall logic intersects with hybrid route learning.

Open Cloud Router page →

Cloud NAT

Useful for understanding outbound access together with egress rules.

Open Cloud NAT page →

Cloud VPN

Useful when firewall policies intersect with hybrid administrative or service access.

Open Cloud VPN page →