Stay organized with collections Save and categorize content based on your preferences.
Firewall endpoint is a Cloud Next Generation Firewall resource that enables Layer 7 advanced protection capabilities, such as the URL filtering service and the intrusion detection and prevention service, in your network.
This page provides a detailed overview of firewall endpoints and their capabilities.
SpecificationsA firewall endpoint is an organizational resource created at the zonal level.
Firewall endpoints perform Layer 7 firewall inspection on the intercepted traffic.
Cloud Next Generation Firewall uses Google Cloud's packet intercept technology to transparently redirect traffic from the Google Cloud workloads in a Virtual Private Cloud (VPC) network to the firewall endpoints.
Packet intercept is a Google Cloud capability that transparently inserts network appliances in the path of selected network traffic without modifying their existing routing policies.
Cloud NGFW redirects the workload traffic in a VPC network to the firewall endpoint only if the Layer 7 inspection is configured to be applied to this flow.
Cloud NGFW adds a VPC network identifier to each packet redirected to the firewall endpoint for Layer 7 inspection. If you have multiple VPC networks with overlapping IP address ranges, this network identifier helps to ensure that each redirected packet is correctly associated with its VPC network.
You can create a firewall endpoint in a zone and attach it to one or more VPC networks to monitor workloads in the same zone. If your VPC network spans multiple zones, you can attach one firewall endpoint in each zone. If you don't attach a firewall endpoint to a VPC network in a specific zone, no Layer 7 inspection is performed on the workload traffic for that zone.
You use firewall endpoint association to attach a firewall endpoint to a VPC network.
The endpoint and the workloads for which you want to enable Layer 7 inspection must be in the same zone. Creating the firewall endpoint in the same zone as workloads has the following benefits:
Lower latency. Because firewall endpoints can intercept, inspect, and reinject the traffic back into the network, latency is lower than that of firewall endpoints in different zones.
No cross-zonal traffic. Keeping traffic within the same zone ensures lower costs.
More reliable traffic. Keeping traffic within the same zone removes the risk of cross-zonal outages.
Firewall endpoints can process up to 2 Gbps of traffic with Transport Layer Security (TLS) inspection, and 10 Gbps of traffic without TLS inspection. Sending more traffic can result in packet loss. To monitor the firewall endpoint's capacity utilization, see firewall endpoint metrics.
Firewall endpoints can have a per-connection throughput maximum of 250 Mbps of traffic with TLS inspection and 1.25 Gbps of traffic without TLS inspection.
You can delete a firewall endpoint only when there are no VPC networks associated with it.
Google manages the infrastructure, load balancing, autoscaling, and lifecycle of the firewall endpoints. When you create a firewall endpoint, Google provides a set of dedicated virtual machine (VM) instances, which ensures reliability, performance, and security isolation for your traffic, along with certificate management.
Google provides high availability by using proper failover mechanisms for the firewall endpoints, which ensures reliable firewall protection for all VM instances covered within the attached VPC network.
Firewall endpoint association links a firewall endpoint to a VPC network in the same zone. After you define this association, Cloud NGFW forwards the zonal workload traffic in your VPC network that requires Layer 7 inspection to the attached firewall endpoint.
Identity and Access Management rolesIdentity and Access Management (IAM) roles govern the following actions for managing the firewall endpoints:
The following table describes the roles that are necessary for each step.
IAM roles govern the following actions for the firewall endpoint associations:
The following table describes the roles that are necessary for each step.
QuotasTo view quotas associated with firewall endpoints, see Quotas and limits.
PricingPricing for firewall endpoints is described in the Cloud NGFW pricing.
What's nextExcept as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-10-13 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-10-13 UTC."],[],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.5