Have you ever had trouble keeping up with firewall restrictions for websites like Google? It used to need manually listing each and every IP address connected to your domain. Talk what a headache!
Generation Firewall
But hey, what do you know? Everything has been so much simpler! The Cloud Next Generation Firewall (NGFW) now has a FQDN functionality that allows you to easily define a domain name in your firewall rule. There are no longer countless lists of IP addresses to remember!
Security is critical in the ever-changing cloud computing environment. Among the many capabilities that Cloud NGFW provides to protect your infrastructure is the fully qualified domain name capability. By giving your firewall rules more flexibility and clarity, it makes network management easier and helps you strengthen security measures. Let’s investigate how.
Comprehending FQDN
Fully qualified domain names are the full name of a particular host on the internet, which is eventually converted to an IP address when establishing a connection with the host.
FQDN allows users to establish firewall rules based on domain names instead of merely IP addresses in the context of Google Cloud NGFW Standard. By allowing rule development based on particular services or applications hosted on those domains, even when associated IP addresses change dynamically, this presents a more flexible approach to network traffic control.
The advantages of FQDN
Increased dependability
Load-balanced traffic passes through load balancers, and it’s remain unchanged when the underlying IP addresses change. This might enhance the dependability of your cloud workloads and lessen downtime.
Simpler to use
Compared to IP addresses, FQDNs are easier to memorise and more human-readable. This can help to improve the readability and maintainability of your firewall rules.
Enhanced security
By making DNS spoofing attacks more difficult, FQDNs can help to improve the security of your apps.
Crucial factors Things to know before converting to FQDN
- Standard FQDN syntax requires that it objects follow the format of supported domain names.
- Firewall policy rules in hierarchical, global, and regional network firewall policies can control traffic to and from particular domains by utilising FQDN objects.
- Based on the VPC name resolution order of Cloud DNS, Cloud NGFW updates firewall policy rules containing it objects on a regular basis with the most recent domain name resolution discoveries. Any modifications to DNS records are reported to Cloud NGFW using Cloud DNS. Reliability of egress control is ensured by these updates being compatible with the underlying virtual machines.
- The firewall policy treats FQDN objects as Layer 3 entities and applies to the IP address itself if several domain names resolve to the same address.
- If a domain has CNAMEs in its DNS record, make sure all possible aliases are set up in egress firewall policy rules to ensure that policies are consistently enforced even when DNS records change. A policy malfunction could occur if all pertinent aliases are not included.
- If alternate name servers are not utilised in outbound server policy sets, Compute Engine internal DNS names may also be used in network firewall policy rules.
- Cloud DNS controlled zones for domain name resolution can be used to include custom domain names into network firewall policy rules. Make sure the outbound server policy of the VPC network does not include any configuration for alternative name servers, which would cause the records in controlled zones to be examined.
Being aware of FQDN constraints
When using FQDN objects in firewall rules for both egress and ingress, the following limitations are applicable:
- Example.com and .org are examples of top-level (root) domain names that are not supported by FQDN objects.
- There are a maximum of 32 IPv4 and 32 IPv6 addresses that a domain name can resolve to. Only the top 32 IPv4 or IPv6 addresses are returned by DNS searches that return more than 32 addresses. Consequently, do not include in incoming firewall policy rules domain names that resolve to more than 32 IPv4 and IPv6 addresses. But take note that utilising FQDN in egress firewall rules is unaffected by this.
- Depending on the client’s location, different domain name inquiries result in distinct responses. When a firewall policy rule is applied, DNS resolution is carried out in the Google Cloud region that houses the virtual machine (VM).
- If DNS-based load balancing is being used, or if domain name resolution results are significantly variable, do not use ingress rules that use FQDN objects. For example, many Google domain names use a load-balancing mechanism based on DNS.
FQDN exceptions when resolving DNS
During DNS resolution, you could run into the following exceptions while utilising FQDN objects in firewall policy rules:
Bad domain name
An error happens if one or more domain names in a firewall policy rule are formatted incorrectly. All domain names must be formatted correctly in order for the rule to be created.
There is no domain name (NXDOMAIN)
Google Cloud ignores the FQDN object in the firewall policy rule in the absence of a domain name.
No IP address resolution
The related FQDN object is ignored if a domain name is unable to resolve to any IP address.
Unreachable Cloud DNS server
Firewall policy rules using it objects only take effect in the event that previously cached DNS resolution results are still accessible in the event that a DNS server becomes unreachable. If not, either because the cached DNS data has expired or there are no cached results, the FQDN objects in the rule are disregarded.
Next up
- Examine the documents: Take a look at the Google Cloud NGFW documentation to learn more about firewall rules and FQDN objects.
- Try it out: Try incorporating some of the FQDN objects you’ve created into your own firewall rules. Observe how they improve security and streamline your workflow.
- Talk about what you know: Contribute to the FQDN object community by forwarding this article to your network and colleagues.
You’re well on your way to a cloud environment that is more efficient and safe when you have FQDN objects in your toolbox. Savour the increased flexibility and ease of use in your firewall administration!
