The general availability of several features for Google Cloud Firewall.
Threat Intelligence for Cloud Firewall:
This feature allows you to enhance your firewall rules with curated lists of threat intelligence data. These lists, built and maintained by Google Cloud Threat Intelligence researchers, include information about known malicious IP addresses and trusted sources. By leveraging this feature, you can block malicious traffic and allow known good traffic for your cloud workloads.
Geo-location objects:
With geo-location objects, you can filter traffic based on specific geographic locations. Google builds and maintains the mapping between countries and IP addresses, making it easier for you to block or allow traffic from designated geographic locations. This feature helps you enforce compliance with regulations by restricting traffic from certain regions.
Address groups:
Address groups simplify the management of firewall rules. Instead of manually entering IP ranges in each rule, address groups allow you to create a collection of IPs or IP range sets. You can reuse these address groups in multiple firewall rules, saving time and effort in managing and maintaining your firewall configuration. Address groups can be created at the project or organization level and used in network firewall policies.
Local IP ranges:
Local IP ranges provide granular control for target workloads in firewall rule configurations. Previously, if you specified a tag or service account in a firewall rule, you couldn’t further specify an IP address for the target workload. However, with local IP ranges, you can configure ingress and egress firewall rules to allow traffic targeting a specific IP for a virtual machine (VM) interface. This feature enables you to achieve traffic filtering through a gateway-style endpoint by using symmetrical firewall rules with destination and source IP ranges.
These features are available in two tiers: Essentials and Standard. The Essentials tier offers foundational capabilities, while the Standard tier expands rule capabilities. The features can be activated through the Cloud Console, Command Line Interface (CLI), and API.