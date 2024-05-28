



Have you ever struggled to manage firewall rules for sites like Google? Previously, you had to manually list all the IP addresses associated with your domain, which was a very tedious task.

But guess what? Things just got a lot easier! With the new FQDN feature in Cloud Next Generation Firewall (NGFW), you can simply specify the domain name (e.g. www.google.com) in your firewall rules. No more endless lists of IP addresses to keep track of!

In the dynamic environment of cloud computing, security is paramount. Cloud NGFWs offer a powerful set of features to protect your infrastructure, one of which is the Fully Qualified Domain Name (FQDN) feature. FQDNs provide additional flexibility and granularity to firewall rules, simplifying network administration while enhancing your security posture. Let's see how.

Understanding FQDNs

A Fully Qualified Domain Name (FQDN) represents the complete domain name of a particular host on the Internet, which is ultimately translated into an IP address once a connection is established to the host.

In the context of Google Cloud NGFW Standard, FQDNs allow users to create firewall rules based on domain names rather than just IP addresses, introducing a more flexible approach to controlling network traffic by allowing rules to be defined based on specific services or applications hosted on those domains, even when the associated IP addresses change dynamically.

Benefits of using FQDN

Improved reliability: The FQDN remains the same even if the underlying IP address changes, such as for traffic routed through a load balancer, reducing downtime and improving the reliability of your cloud workloads.

Ease of use: FQDNs are easier for humans to read and remember than IP addresses, which makes your firewall rules easier to read and maintain.

Increased security: Using FQDNs makes DNS spoofing attacks more difficult, improving the security of your applications.

Important considerations: What you need to know before switching to FQDN

FQDN objects must conform to standard FQDN syntax according to supported domain name formats.

FQDN objects can be used in firewall policy rules in hierarchical, global, and regional network firewall policies to control traffic to and from specific domains.

Cloud NGFW periodically updates firewall policy rules that contain FQDN objects with the latest domain name resolution results based on Cloud DNS' VPC name resolution order. Cloud DNS notifies Cloud NGFW of DNS record changes. These updates are consistent with the underlying VMs, ensuring reliable egress controls.

When multiple domain names resolve to the same IP address, firewall policy applies to the IP address itself, and the FQDN object is treated as a Layer 3 entity.

For egress firewall policy rules, if the DNS record for your domain includes a CNAME, ensure that all potential aliases are configured to ensure consistent policy enforcement when your DNS records change. Failure to include all relevant aliases may result in the policy not working.

You can also use Compute Engine internal DNS names in network firewall policy rules, as long as the outbound server policy configuration does not use alternative nameservers.

To incorporate custom domain names in your network firewall policy rules, you can use Cloud DNS managed zones for domain name resolution. Ensure that your VPC network's outbound server policy does not have alternative name servers configured to point to records in your managed zone.

Implementing FQDN filtering

For detailed instructions on firewall policies using FQDN, please follow the guide below:

Understanding FQDN limitations

The following restrictions apply to both inbound and outbound firewall rules that use FQDN objects:

FQDN objects do not support wildcards

Or a top-level (root) domain name, such as *.example.com or .org.

A domain name can resolve to a maximum of 32 IPv4 addresses and 32 IPv6 addresses. If a DNS query returns more than 32 IPv4 or IPv6 addresses, only the first 32 addresses are included. Therefore, you should not include domain names that resolve to more than 32 IPv4 and IPv6 addresses in ingress firewall policy rules. However, this does not affect the use of FQDNs in egress firewall rules.

A particular domain name query generates a unique answer depending on the location of the requesting client. Firewall policy rules perform DNS resolution in the Google Cloud region that contains the VM where the rule applies.

When incorporating FQDN objects into input firewall policy rules, be aware of the following limitations:

Avoid using ingress rules that utilize FQDN objects if domain name resolution results vary widely or if DNS-based load balancing is employed, for example, many Google domain names utilize a DNS-based load balancing scheme.

FQDN Exceptions During DNS Resolution

When you use FQDN objects within firewall policy rules, the following exceptions can occur during DNS resolution:

Bad domain names: If a firewall policy rule contains one or more invalidly formatted domain names, an error occurs. You cannot create the rule unless all domain names are formatted correctly.

Domain name does not exist (NXDOMAIN): If the domain name does not exist, Google Cloud ignores the FQDN object in the firewall policy rule.

No IP address resolution: If the domain name cannot be resolved to any IP address, the associated FQDN object is ignored.

Note: Cloud NGFW considers the NXDOMAIN and IP address resolution failure cases to be functionally identical.

Unreachable Cloud DNS Servers: If a DNS server becomes unreachable, firewall policy rules that use FQDN objects are applied only if the previously cached DNS resolution results are accessible, otherwise the FQDN objects in the rules are ignored because the cached results are not present or the cached DNS data has expired.

What's next?

Dive into the documentation: To gain a deeper understanding of FQDN objects and firewall rules, start exploring the Google Cloud NGFW documentation.

Test: Create some FQDN objects and implement them in your own firewall rules to see how they simplify your workflow and improve security.

Share your knowledge: Share this article with your colleagues and network to help others leverage FQDN objects.

Adding FQDN objects to your toolkit helps ensure a more secure and streamlined cloud environment. Enjoy new ease and flexibility in managing your firewall.

