Use Dynamic Address Groups to Secure Instances Within the VPC

Learn how to configure the VM-Series firewall to monitor VMs in your project’s VPC.
In a dynamic environment such as the Google® Cloud Platform (GCP™), where you launch new instances on demand, the administrative overhead in managing Security policy can be cumbersome. Using use dynamic address groups in policy enables agility and prevents disruption in services or gaps in protection.
This workflow assumes that you have deployed the VM-Series firewall, configured some applications on instances, and enabled Google Stackdriver monitoring.
  1. Configure the firewall to monitor the VPC.
  2. Label instances in the VPC.
    A label is a name-value pair. You can label resources from the Google Cloud Console, from Google API calls, or from the Google Cloud Shell. In this task we are labeling instances; however, labels can be applied to many resources, as described in Labeling Resources.
    You can also add labels from the Instance browser.
    create-label.png
    The labels you create support your strategy for differentiating your resources in ways that are useful to your Security policy.
  3. Create a dynamic address group on the firewall.
    1. Select ObjectsAddress Groups.
    2. Add a dynamic address group and specify a Name and a Description.
    3. Set Type to Dynamic.
    4. Define the match criteria.
      1. Add Match Criteria and select the And operator.
      2. Select the attributes to filter for or to match against.
        dag-def.png
    5. Click OK.
    6. Click Commit.
  4. Use the dynamic address group in a Security policy rule.
    Create a rule to allow internet access to any web server that belongs to the dynamic address group called my-data.
    1. Select PoliciesSecurity.
    2. Add a rule and a Name for the rule and verify that the Rule Type is universal.
    3. In the Source tab, add trust as the Source Zone.
    4. In the Source Address section, Add your new my-data group.
    5. In the Destination tab, add untrust as the Destination Zone.
    6. In the Service/URL Category tab, verify that the service is set to application-default.
    7. In the Actions tab, set the Action to Allow.
    8. In the Profile Settings, set the Profile Type to Profiles and then attach the default profiles for Antivirus, Anti-Spyware, and Vulnerability Protection.
    9. Click OK.
    10. Click Commit.
  5. Verify that members of the dynamic address group are populated on the firewall.
    Policy will be enforced for all IP addresses that belong to this address group and that are displayed here.
    1. Select PoliciesSecurity and select the rule.
    2. Select Inspect from the drop-down. You can also verify that the match criteria is accurate.
    3. Click more to verify that the list of registered IP addresses is displayed.

Related Documentation