Use Dynamic Address Groups to Secure Instances Within the
Learn how to configure the VM-Series firewall to monitor
VMs in your project’s VPC.
In a dynamic environment such as the Google®
Cloud Platform (GCP™), where you launch new instances on demand,
the administrative overhead in managing Security policy can be cumbersome.
Using use dynamic address groups in
policy enables agility and prevents disruption in services
or gaps in protection.
This workflow assumes that you have
deployed the VM-Series firewall, configured some applications on
instances, and enabled Google Stackdriver monitoring.
Configure the firewall to monitor the VPC.
Label instances in the VPC.
A label is a name-value pair. You can label resources from
the Google Cloud Console, from Google API calls, or from the Google
Cloud Shell. In this task we are labeling instances; however, labels can
be applied to many resources, as described in Labeling Resources.
You can also add
labels from the Instance browser.
labels you create support your strategy for differentiating your
resources in ways that are useful to your Security policy.
Create a dynamic address group on the firewall.
a dynamic address group
and specify a
Define the match criteria.
Add Match Criteria
Select the attributes to filter for or to match against.
Use the dynamic address group in a Security policy rule.
Create a rule to allow internet access to any web server
that belongs to the dynamic address group called my-data.
a rule and a
the rule and verify that the
tab, add trust
In the Source Address section,
new my-data group.
untrust as the
verify that the service is set to
tab, set the
In the Profile Settings, set the
and then attach
the default profiles for Antivirus, Anti-Spyware, and Vulnerability
Verify that members of the dynamic address group are
populated on the firewall.
Policy will be enforced for all IP addresses that belong
to this address group and that are displayed here.
and select the rule.
from the drop-down.
You can also verify that the match criteria is accurate.
to verify that the
list of registered IP addresses is displayed.