google_compute_firewall

Each network has its own firewall controlling access to and from the instances.

All traffic to instances, even from other instances, is blocked by the firewall unless firewall rules are created to allow it.

The default network has automatically created firewall rules that are shown in default firewall rules. No manually created network has automatically created firewall rules except for a default "allow" rule for outgoing traffic and a default "deny" for incoming traffic. For all networks except the default network, you must create any firewall rules you need.

To get more information about Firewall, see:

Open in Cloud Shell

Example Usage - Firewall Basic

resource "google_compute_firewall" "default" {
  name    = "test-firewall"
  network = google_compute_network.default.name

  allow {
    protocol = "icmp"
  }

  allow {
    protocol = "tcp"
    ports    = ["80", "8080", "1000-2000"]
  }

  source_tags = ["web"]
}

resource "google_compute_network" "default" {
  name = "test-network"
}

Example Usage - Firewall With Target Tags

resource "google_compute_firewall" "rules" {
  project     = "my-project-name"
  name        = "my-firewall-rule"
  network     = "default"
  description = "Creates firewall rule targeting tagged instances"

  allow {
    protocol  = "tcp"
    ports     = ["80", "8080", "1000-2000"]
  }

  source_tags = ["foo"]
  target_tags = ["web"]
}

Argument Reference

The following arguments are supported:


The allow block supports:

The deny block supports:

The log_config block supports:

Attributes Reference

In addition to the arguments listed above, the following computed attributes are exported:

Timeouts

This resource provides the following Timeouts configuration options:

Import

Firewall can be imported using any of these accepted formats:

In Terraform v1.5.0 and later, use an import block to import Firewall using one of the formats above. For example:

import {
  id = "projects/{{project}}/global/firewalls/{{name}}"
  to = google_compute_firewall.default
}

When using the terraform import command, Firewall can be imported using one of the formats above. For example:

$ terraform import google_compute_firewall.default projects/{{project}}/global/firewalls/{{name}}
$ terraform import google_compute_firewall.default {{project}}/{{name}}
$ terraform import google_compute_firewall.default {{name}}

User Project Overrides

This resource supports User Project Overrides.