GCP Shared VPC Firewall
Originally
ADR-0036 GCP_Shared_VPC_Firewall (v6) · Source on Confluence ↗GCP Shared VPC Firewall
Status: Accepted
Deciders: ryan.cullison@droneup.com, sybil.melton@droneup.com, eric.brookman@droneup.com
Date: Apr 14, 2023
Technical Story
Document decision for firewall design elements in Shared VPC
Context and Problem Statement
[Shared VPC](confluence-title://PE/ADR17: GCP Network Architecture) security features must be decided.
Network firewalls are important for access control when considering east-west (intra-VPC) and north-south (Internet ingress and egress) traffic flows.
Placement of firewalls can impact the size of subnets and number of shared VPC.
Employing instance groups and leveraging different zones to distribute the virtual machines across the Google Cloud physical infrastructure ensures that you avoid downtime caused by infrastructure maintenance or failure
GKE cluster in a service project cannot create and manage the firewall resources in the host project
- Manually configure firewall rules that would usually be created automatically or grant the appropriate IAM permissions to the service project’s GKE service account
Decision Drivers
- Scale
- Complexity
- Resiliency and high availability
- Ensuring GCP quotas are not reached
- NIST 800-53 compliance
Considered Options
East-West Firewall
- Cloud Firewall Rules with per environment Shared VPC
- Inline Firewall appliances with per project Shared VPC
North-South Firewall
- Cloud Firewall Standard
- Separate Ingress and Egress Firewall appliances
- Common Firewall appliances
Decision Outcome
1. Cloud Firewall Rules with per environment Shared VPC
Cloud Firewall provides a stateful, fully distributed host-based enforcement on each workload to enable zero-trust security architecture. The combination of firewall policies and Identity and Access Management (IAM)-governed Tags provides fine control for both north-south and east-west traffic, down to a single VM, across Virtual Private Cloud (VPC) networks and organizations. Cloud Firewall implements network and hierarchical firewall policies that can be attached to a resource hierarchy node. These policies provide a consistent firewall experience across the Google Cloud resource hierarchy. Firewall Insights provides visibility into firewall rule usage and detects firewall rule configuration issues.
- Good, no additional infrastructure required
- Good, increased scale and operational resiliency and reduces chances that high bandwidth use of one project affects other flows
- Good, IAM tags separate inter-project flows with no latency cost
- Good, simpler management with single global firewall policy to update with project add/remove/changes
- Bad, because
2. Cloud Firewall Standard
Cloud Firewall Standard extends the Cloud Firewall Essentials features to provide enhanced capabilities to protect your cloud infrastructure from malicious attacks.
- Good, no additional infrastructure management required
- Good, Threat Intelligence for firewall policy rules lets you secure your network by allowing or blocking traffic based on Threat Intelligence data lists.
- Good, Fully qualified domain name (FQDN) objects in firewall policy rules filter incoming or outgoing traffic from or to specific domains.
- Good, Geo-location objects in firewall policy rules filter external IPv4 and IPv6 traffic based on specific geographic locations or regions.
- Bad, limited security features available
- Bad, additional cost for data volume of a flow including both request and response traffic evaluated by Standard rules
Consequences/Tech Debt Incurred
Network features that come included with a vendor firewall are not available, i.e. Network IPS, anti-virus, DLP. Compensating controls must be in place.
Pros and Cons of the Options
1. Inline Firewall appliances with per project Shared VPC
Same firewalls used for Egress Internet would be used to simplify routing. Because VPC does not support transitive routing, custom route would force traffic to appliances.
- Good, offers IPS/malware/protocol inspection between projects if traffic is allowed
- Good, vendors have automation tools available for auditing and orchestration for remediation
- Bad, same VPC peering limitations presented in the dedicated VPC network design (25 peerings)
- Bad, high bandwidth use from one project can affects other traffic flows within the deployment, although auto scaling can be configured
- Bad, as bandwidth requirements increase, larger VM sizes can significantly increase cost
2. Separate Ingress and Egress Firewall appliances
Separates traffic flows across two separate sets of firewalls. More scalable.
Good, increased scale and operational resiliency and reduces the chances of high bandwidth use from the inbound traffic flows affecting other traffic flows within the deployment.
Good, Next Generation Firewall offers IPS, application recognization, web filtering, antivirus/malware
- secure your network by allowing or blocking traffic based on Threat Intelligence data lists.
- filter incoming or outgoing traffic from or to specific domains.
- filter external IPv4 and IPv6 traffic based on specific geographic locations or regions.
Bad, unknown cost for licensing and GCE due to not knowing how many firewalls will be needed. (Minimum 2 for ingress, 2 for egress)
2. Common Firewall appliances
Single set of firewalls. Recommended for smaller scale deployments only. Higher technical complexity. Must configure ECMP and symmetric return on the virtual router to allow the firewall interface that received the health probe to source and correctly route responses.
Good, smaller number of firewalls
Good, Next Generation Firewall offers IPS, application recognization, web filtering, antivirus/malware
- secure your network by allowing or blocking traffic based on Threat Intelligence data lists.
- filter incoming or outgoing traffic from or to specific domains.
- filter external IPv4 and IPv6 traffic based on specific geographic locations or regions.
Bad, the single set of firewalls operates as a shared resource and can present scale limitations with all traffic flowing through a single set of firewalls