What is Cloud NGFW?
Cloud NGFW is Google Cloud’s cloud-native, fully distributed firewall service. Unlike traditional firewall appliances, Cloud NGFW enforces rules host-based directly at each VM rather than at a central chokepoint. You configure it through hierarchical, global, and regional network firewall policies that apply consistently across organizations, folders, and VPC networks.
Cloud NGFW solves the problem of implementing network segmentation and threat defense without a separate inline appliance. In the Enterprise tier, Cloud NGFW extends pure network filtering with Layer 7 security: intrusion detection and prevention, TLS inspection, and URL filtering. This means you inspect not only IP addresses, ports, and protocols, but the application traffic itself, blocking malware, spyware, and command-and-control connections directly in the data path.
Core Features
- Three tiers: Essentials (free, rules based on IP ranges, ports, and protocols), Standard (adds FQDN objects and threat intelligence), and Enterprise (adds Layer 7 security).
- Layer 7 protection (Enterprise): Intrusion detection and prevention (IDPS), TLS inspection, and URL filtering inspect application traffic and block known threats.
- Palo Alto Networks threat engine: The threat prevention signatures (anti-spyware, vulnerability protection, antivirus) are based on Palo Alto Networks technology and run as a Google-managed service.
- Distributed, host-based enforcement: Rules apply at each VM rather than at an appliance. Zonal firewall endpoints transparently inspect workload traffic via packet intercept against the configured signatures.
Typical Use Cases
North-south protection: You secure inbound and outbound internet traffic to and from your VM instances. The Standard tier already covers this traffic through FQDN objects and threat intelligence.
East-west inspection: You inspect traffic between workloads within Google Cloud and implement fine-grained microsegmentation. This billing and inspection is part of the Enterprise tier.
Threat defense and web control: You detect and block malware, spyware, and command-and-control traffic via IDPS, inspect encrypted traffic via TLS inspection, and control outbound web access via URL filtering.
Benefits
- Cloud-native and fully distributed: no central chokepoint and no appliance to scale.
- Incremental adoption across three tiers, from free baseline protection to full Layer 7 security.
- Managed Palo Alto Networks threat prevention technology without operating third-party software yourself.
Integration with innFactory
As a certified Google Cloud Partner, innFactory supports you with the adoption and operation of this service.
Typical Use Cases
Frequently Asked Questions
What is Cloud NGFW?
Cloud NGFW is Google Cloud's cloud-native, fully distributed firewall service. Enforcement is host-based at each VM rather than at a central appliance. In the Enterprise tier, Cloud NGFW adds Layer 7 capabilities such as intrusion detection and prevention, TLS inspection, and URL filtering on top of network-level controls.
When should I use Cloud NGFW?
Use Cloud NGFW to protect internet ingress and egress (north-south traffic), inspect east-west traffic between VPC workloads, or detect and block threats such as malware, spyware, and command-and-control traffic. The Enterprise tier fits when you need to inspect encrypted traffic via TLS inspection and control outbound web access via URL filtering.
How much does Cloud NGFW cost?
Pricing is tiered. The Essentials tier is free. Standard is billed by the volume of north-south data processed. Enterprise is billed by north-south and east-west data volume plus an additional charge per deployed firewall endpoint hour. Current rates are listed on the official pricing page.
What Layer 7 features does the Enterprise tier provide and who powers the threat engine?
The Enterprise tier provides intrusion detection and prevention (IDPS), TLS inspection, and URL filtering. The threat prevention signatures (anti-spyware, vulnerability protection, antivirus) are powered by Palo Alto Networks threat prevention technology, delivered as a Google-managed service through zonal firewall endpoints.
